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(54) Tide: A DATA STRUCTURE AND ITS USE 

(57) Abstract 

A data structure and its use in for example 
representation, analysis and verification of sys- 
tems comprising continuous variables. Contin- 
uous variables arise in many areas of computer 
science and mathematics as for example timers 
or clocks in real-time controllers and digital cir- 
cuits, sensors in embedded systems, counters in 
concurrent protocols, variables in configuration 
problems, and scheduling times in planning and 
optimization problems. The data structure can 
represent and decide validity of first order propo- 
sitional formulas over difference constraints or 
linear inqualities. The data structure can be 
used in symbolic model checking of concurrent 
timed systems modeled as timed automata, timed 
Petri nets or timed guarded commands. The 
data structure is preferably embodied as a deci- 
sion diagram similar to binary decision diagrams 
(BDDs). 
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A data structure and its use 

Field of the Invention 

The present invention relates to a data structure and its use in for example representation, analysis and 
verification of systems containing continuous variables. The data strucure can be used for example to 
s analyse real-time controllers, software, digital circuits, embedded systems, concurrent protocols, and 
solve configuration, optimisation and planning problems. 



Background of the Invention 

A difference decision diagram or DDD is a data structure for symbolically representing logical com- 
binations of difference constraints (i.e., inequalities between a difference of two real-valued variables 
and a constant). The invention is embodied as a computer program implementing the data structure. 
The core of the invention is not the computer program in itself which is just one of many possible em- 
bodiments of the invention, but a description of the data structure and a number of effective algorithms 
and methods for manipulating the data structure. 

The data structure was invented in a project developing methods for improving the quality of embed- 
ded systems. Embedded systems are computer programs embedded in larger systems and are often 
used to control the behavior of the system as for example in airbags, anti-blocking brakes or railroad 
safety systems. These methods are based on a technique called model checking which uses exhaust- 
ive testing of all possible states in the system to ensure that only certain good states are reachable. 
Until recendy, exhaustive testing was considered infeasible because of the extremely large number of 
states. But new technological breakthroughs has changed this viewpoint. Real industrial problems 
with considerable complexity can be formally verified today. This has become possible by using 
compact data structures for representing large state spaces and efficient algorithms for manipulating 
them. The breakthrough for Boolean systems has enabled industrial circuit manufacturers such as 
Intel, Motorola and IBM to exploit these methods to improve the quality of their products and thus 
avoiding costly bugs in their designs (the division bug in one of Intel's Pentium processors, sold in 
more than a million copies, has been estimated to cost more than hundred million dollars). 

Model checking has proved successful on systems with only Boolean variables, but it is still an open 
problem how to efficiently verify systems with (non-Boolean) discrete or continuous variables. In 
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such systems, integer or real valued variables play a crucial role in the correctness of the system. 
Examples are timing aspects of a digital circiut or temperature in an embedded system. It is contem- 
plated that the data structure can extend the positive results from Boolean systems to systems with 
non-Boolean variables. 

s Systems with discrete and continuous variables become more and more prevalent and this has resulted 
in an increased demand for tools and methodologies to assist in the design, validation and test of 
such systems. Formal methodologies for reasoning about non-Boolean systems must contain a model 
including both the discrete and continuous behavior of the system. The need to represent both discrete 
and continuous values cause many verification algorithms to revert to use multiple data structures. 

10 This results in problems when relating, for example, control and data. As a consequence, state-of- 
the-art techniques for analyzing systems with time, modeled for example as timed automata, are only 
capable of analyzing systems with a handful of timers and a few thousand states. 

The data structure can be applied not only in verification of safety properties of timed systems, but also 
in analysing a wide range of other problems. Difference constraints can model timing constraints, and 
is by using logical connectives such as disjunction and existential quantification, difference constraints 
can also be used to represent and solve a number of planning problems such as optimal usage of a 
production plant, scheduling problems, economic planning problems and transport planning. 

Difference constraints can also express interval constraints on variables which combined with the 
logical connectives is useful in configuration tools. Configuration tools are used to assist in the 

20 assembly of complex products or safety critical systems such as cars, railroad safety systems, vending 
machines, trains or PCs specialized to solve a specific task. The market for configuration tools is in 
strong growth and estimated to be at least 3 billion dollars per year. Experiments with industrial 
examples show that an approach based on the data structure results in a considerable improvement in 
performance. Thus, the data structure can extend the application areas of configuration tools to, for 

25 instance, online configuration on the Internet in connection with e-commerce. 

Summary of the Invention 

In a first aspect, the invention relates to an acyclic data structure comprising: 

• a number of nodes comprising 

- at least a first and a second pointer pointing to other nodes, 
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- an expression comprising at least one inequality with at least one variable, the expression 
being adapted to result in one, of at least two disjoint outcomes, each pointer representing 
one of the outcomes, the number of pointers corresponding to the number of outcomes of 
the expression, 

s • at least one terminal node, 

• at least one node pointing to the at least one terminal node, 

the expressions being ordered according to predetermined criteria, the pointers of a first node compris- 
ing an expression of a first, lower order pointing to nodes comprising expressions of second orders, 
the second orders being higher than the first order. 

10 In the present context, "acyclic" means that no incidents may occur so that, when following the 
pointers of the structure, will a path from a given node exist back thereto. 

Also, in this context, the term "expression" will mean a mathematical expression comprising at least 
one variable, optionally one or more constants, possibly arithmetic operators, such as +, — , *, and /, 
and at least one comparison operator, such as <, >, <, or >. 

is One advantage of the ordering of the expressions may be seen when performing operations on one or 
more structures. When e.g. combining two structures, a search for nodes having a given representa- 
tion is quick, as the ordering of the expressions will define where in the structure such a node could 
appear. 

In the present context, "disjoint" preferably means that the expression, no matter the value(s) of the 
20 at least one variable, will always provide a unique outcome so that it is clear which pointer represents 
the outcome. 

Naturally, the structure being acyclic, one or more roots are preferably present, the root(s) normally 
being a node not being pointed to. However, a root may be chosen within the structure, when that 
part of the structure pointed to by the root represents the interesting part of the structure. In fact, if 
25 the structure is optimally and totally reduced, the root may actually be a terminal node — such as in 
the situation where the structure — or the interesting part thereof — has been reduced to only that 
terminal node. 

A terminal node is a node not pointing to any other nodes. In the present context, the terminal nodes 
may be adapted to represent constant expressions, such as the constants "false", "true", or "17". 
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Depending on the manner in which the structure has been constructed, a number of "local" incidents 
are preferably avoided in order to save space and in order to optimize the operation of the generation 
of the structure or the use thereof. 

Thus, firstly, preferably, the data structure is at least substantially free from incidents of nodes where: 
5 the first and second pointers of a first node point to a second and a third node, respectively, the second 
pointer of the second node points to the third node, the expressions of the first and second nodes relate 
to the same variables, and the variable values fulfilling or not fulfilling the expression of the first node 
being comprised in the variable values fulfilling or not fulfilling the expression of the second node. 

Secondly, the data structure is preferably at least substantially free from incidents of nodes where all 
10 pointers of a node point to the same node. 

Thirdly, the data structure is preferably at least substantially free from incidents of nodes where two 
nodes exist having identical expressions and having pointers pointing to the same nodes, where the 
first pointers of the two nodes point to the same node, and where the second pointers of the two nodes 
point to the same node. Normally, this would be the situation pair-wise for all pointers of the nodes. 

15 Preferably, the terminal nodes are adapted to represent Boolean values "true" and "false". This greatly 
simplifies the structure and the operation thereof. This provides a very versatile method and structure 
in that it provides the possible use of characteristic functions for representing sets and relations, and 
quite complicated operations, such as comparisons, unions, etc. may be performed without requiring 
enumeration of the elements of the sets. 

20 Preferably, the expressions in the nodes except the terminal nodes all contain at least one inequality. 
The more uniform a structure, the easier to handle. 

Preferably, the disjoint outcomes of the expressions constitute "true" or "false", and wherein each 
node comprises two pointers. The fact that all nodes (except for the terminal nodes) have the same 
type of information rendering the representation of the structure compact as well as simplifying the 
25 operations performed on the structure. 

When the at least one inequality is a linear inequality, a large versatility is obtained within a large 
number of applications, such as economic models, optimization problems, and planning problems. 

Most preferably, the inequalities are difference constraints, which are useful when analyzing concur- 
rent software, embedded systems, real-time systems, hardware, and in timing analysis. 
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There exists a number of disadvantageous incidents in acyclic structures which make making enquir- 
ies to the structure more complicated. 

Thus, the data structure is preferably at least substantially free from incidents of nodes where, when 
following a path from one node via one or more pointers to a second node, there exists no set of 
5 variable values fulfilling a combined expression obtained by, for each node entered, the expression 
therein having to provide the outcome corresponding to the pointer of the node pointing to the next 
node. 

In this manner, superfluous nodes may be removed, and the presence of a given terminal node in the 
structure now guarantees that a set of variable values exists that provides the outcome leading to the 
10 terminal node. 

Also, the data structure is preferably at least substantially free from incidents of pairs of paths, starting 
in the same starting node and ending in the same ending node, where, a single path may be generated 
starting in the starting node and ending in the ending node, the same variables values fulfill the 
combined expression obtained when following the single path from the starting node to the ending 
15 node as fulfill a disjunction of the pair of paths. 

It is contemplated that, when the structure fulfills this criterion, the same structure will emerge inde- 
pendently on how the structure has been built from e.g. an analysis of a system — i.e. the structure 
will be a canonical representation of the system. 

In a second aspect, the invention relates to a method of generating a data structure as described above 
20 and representing a system having a number of variables, the method comprising: 

a) determining the variables, 

b) defining a number of entities in the system, the entities denning relations between variables, 

c) defining criteria for ordering the expressions, 

d) representing each relation by: 

2s • defining a number of different expressions each comprising at least one inequality with at 

least one variable, and each expression being adapted to result in one of at least two disjoint 
outcomes, 

• associating each expression with a node, the node having: 

- at least a first and a second pointer adapted to point to other nodes, 
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- the number of pointers of the node corresponding to the number of outcomes of the 
expressions, 

• ordering the expressions associated with the nodes in accordance with the defined criteria 
so that the pointers of a node comprising an expression of a lower order points to nodes 
comprising expressions of higher orders so as to generate an entity data structure representing 
the corresponding entity, and 

e) combining the entity data structures to generate the data structure. 

In the present context, a "variable" of the system is a part thereof which may vary — typically over 
time. This may be values of timers, delays of gates, or values of variables of software, values repres- 
enting a physical phenomenon or measure, such as temperature, flux or the like. 

When determining the number of variables, normally one would limit oneself to the variables that 
influence the part of the system, which is interesting. 

Normally, the entities will be parts of the system through which variables may interact, such as gates 
in a circuity statements in a program, or the like. 

It has been found that the selected criteria for ordering of the expressions has significance on the final 
size of the structure as well as the simplicity and computational load of the operations performed 
thereon. 

The combination of the individual entity data structures into the data structure is performed while 
retaining the order of the expressions. In fact, due to the ordering, the step of combining the entity 
structures is simplified, as will become clear below. 

Having combined the entity structures and obtained the data structure, global relations between entit- 
ies are obtained from the local relations between entities. Thus, one or more functional properties of 
the system such as safety properties, liveness properties, minimum or maximum values of variables, 
and satisfying variable assignments can be determined on the basis of the combined data structure. 

In one situation, the combination of the entity data structures comprises a number of steps in each of 
which a number of entity data structures are combined, each step comprising: 

a) in the system, determining a relationship between the entities represented by the entity data struc- 
tures and a mathematical operation determined by the relationship, 

b) generating a new data structure by: generating an operator node representing the mathematical 
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operation and having a number of pointers pointing to the entity data structures. 

One advantage of this manner of combining the structure is that the operator nodes need not be 
converted into "normal" nodes, as they may be optimized out of the structure. 

One manner of optimizing the structure is one wherein: 

• a first node is identified, all pointers of which point to the same, second node, 

• all pointers pointing to the first node are pointed to the second node, and 

• the first node is removed. 

Another manner is one wherein: 

• two nodes are identified having identical expressions and having pointers pointing to the same 
nodes, where the first pointers of the two nodes point to the same node, and where the second 
pointers of the two nodes point to the same node, 

• pointing all pointers pointing to a first of the two nodes to the other of the two nodes, and 

• deleting the first node. 

Preferably, a set of predetermined reduction rules are repeatedly applied to the operator nodes in 
order to remove operator nodes from the data structure so as to simplify the structure at a point in 
time before converting the operator nodes into "normal" nodes. 

Most preferably, the pointers of the nodes would point pairwise to the same nodes so that the function 
of the two nodes is identical, and the first node may be omitted when all pointers pointing thereto are 
redirected to the second node. In order to finally convert the operator nodes to "normal" nodes, the 
method preferably further comprising the step of: 

• identifying an operator node having pointers pointing to more than two data structures, 

• replacing the identified operator node by a group of operator nodes, each operator node in the 
group having two pointers, the group of operator nodes pointing to the more than two data 
structures. 



The preferred manner of converting an operator node into "normal" nodes is one comprising the steps 
of: 
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a) identifying an operator node having pointers pointing to two data structures comprising only ter- 
minal nodes or nodes the expressions of which represent inequalities, 

b) replacing the identified operator node and the data structures pointed to thereby by a new data 
structure generated by performing the following procedure relating to the two data structures: 

c) • if the lowest order node of the first data structure and the lowest order node of the second 

data structure comprise identical expressions, 

- generating a new node having an expression identical thereto, 

- generating a first new data structure from the data structures pointed to by the first 
pointers of the two lowest order nodes by performing step c), 

- having the new node's first pointer point at the first new data structure, 

- generating a second new data structure from the data structures pointed to by the second 
pointers of the two lowest order nodes by performing step c), 

- having the new node's second pointer point at the second new data structure, 

• if the lowest order node of the first data structure and the lowest order node of the second 
data structure comprise different expressions, 

- generating a new node having an expression identical to that of the two nodes having 
the lowest order, 

- generating a first new data structure from the data structures pointed to by the first 
pointer of the node having the lowest order and that node not having the lowest order by 
performing step c), 

- having the new node's first pointer point at the first new data structure, 

- generating a second new data structure from the data structures pointed to by the second 
pointer of the node having the lowest order and that node not having the lowest order by 
performing step c), 

- having the new node's second pointer point at the second new data structure, 

• if the lowest order node of one of the data structures comprises an expression, and the other 
data structure is a terminal node, 

- generating a new node having an expression identical to that of the node comprising an 
expression, 

- generating a first new data structure from the data structures pointed to by the first 
pointer of the node comprising an expression and the terminal node by performing step 
c), 



8 



WO 00/13113 



PCT/DK99/00456 



- having the new node's first pointer point at the new data structure, 

- generating a second new data structure from the data structures pointed to by the second 
pointer of the node comprising an expression and the terminal by performing step c), 

- having the new node's second pointer point at the second new data structure, 

• if the two data structures are terminal nodes, performing the mathematical operation of the 
operator node between the terminal nodes and generating a data structure consisting of a 
terminal node representing the result of the operation. 

Instead of introducing the operator nodes, the structures may be combined directly without the use of 
special-purpose nodes. One manner of combining two structures is one wherein the combination of 
the entity data structures comprises: 

a) in the system determining a relationship between the two entities represented by the two data 
structures and a mathematical operation determined by the relationship, 

b) generating a new data structure by: 

• if the lowest order node of the first data structure and the lowest order node of the second 
data structure comprise identical expressions, 

- generating a new node having an expression identical thereto, 

- generating a first new data structure from the data structures pointed to by the first 
pointers of the two lowest order nodes by performing step b), 

- having the new node's first pointer point at the first new data structure, 

- generating a second new data structure from the data structures pointed to by the second 
pointers of the two lowest order nodes by performing step b), 

- having the new node's second pointer point at the second new data structure, 

• if the lowest order node of the first data structure and the lowest order node of the second 
data structure comprise different expressions, 

- generating a new node having an expression identical to that of the two nodes having 
the lowest order, 

- generating a first new data structure from the data structures pointed to by the first 
pointer of the node having the lowest order and that node not having the lowest order by 
performing step b), 

- having the new node's first pointer point at the first new data structure, 
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- generating a second new data structure from the data structures pointedto by the second 
pointer of the node having the lowest order and that node not having the lowest order by 
performing step b), 

- having the new node's second pointer point at the second new data structure, 

• if the lowest order node of one of the data structures comprises an expression, and the other 
data structure is a terminal node, 

- generating a new node having an expression identical to that of the node comprising an 
expression, 

- generating a first new data structure from the data structures pointed to by the first 
pointer of the node comprising an expression, and the terminal node by performing step 
b), 

- having the new node's first pointer point at the new data structure, 

- generating a second new data structure from the data structures pointed to by the second 
pointer of the node comprising an expression and the terminal by performing step b), 

- having the new node's second pointer point at the second new data structure, 

• if the two data structures are terminal nodes, performing the mathematical operation between 
the terminal nodes and generating a data structure consisting of a terminal node representing 
the result of the operation, 

repeating steps a) and b) until only a single data structure remains. 

In fact, this method of generating a structure or combining two data structures using a mathematical 
operation is a basic operation which may be used for other purposes than merely generation of data 
structures. For example the method is also useful for altering structures in order to prepare them for 
analysis/test. Thus, this more basic operation may comprise: 

a) generating the new data structure by: 

• if the lowest order node of the first data structure and the lowest order node of the second 
data structure comprise identical expressions, 

- generating a new node having an expression identical thereto, 

- generating a first new data structure from the data structures pointed to by the first 
pointers of the two lowest order nodes by performing step a), 

- having the new node's first pointer point at the first new data structure, 
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- generating a second new data structure from the data structures pointed to by the second 
pointers of the two lowest order nodes by performing step a), 

- having the new node's second pointer point at the second new data structure, 

• if the lowest order node of the first data structure and the lowest order node of the second 
data structure comprise different expressions, 

- generating a new node having an expression identical to that of the two nodes having 
the lowest order, 

- generating a first new data structure from the data structures pointed to by the first 
pointer of the node having the lowest order and that node not having the lowest order by 
performing step a), 

- having the new node's first pointer point at the first new data structure, 

- generating a second new data structure from the data structures pointed to by the second 
pointer of the node having the lowest order and that node not having the lowest order by 
performing step a), 

- having the new node's second pointer point at the second new data structure, 

• if the lowest order node of one of the data structures comprises an expression, and the other 
data structure is a terminal node, 

- generating a new node having an expression identical to that of the node comprising an 
expression, 

- generating a first new data structure from the data structures pointed to by the first 
pointer of the node comprising an expression and the terminal node by performing step 
a), 

- having the new node's first pointer point at the new data structure, 

- generating a second new data structure from the data structures pointed to by the second 
pointer of the, node comprising an expression and the terminal by performing step a), 

- having the new node's second pointer point at the second new data structure, 

• if the two data structures are terminal nodes, performing the mathematical operation between 
the terminal nodes and generating a data structure consisting of a terminal node representing 
the result of the operation. 

In both the more specific case of generating data structures and in the more general of simply altering 
structures, it is preferred that the mathematical operations are chosen from the group consisting of 
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Boolean operators or combinators, such as AND, OR, NOT, and XOR, where the terminal nodes are 
given one of the values "true" and "false". 

Especially in the more specific case, the mathematical operations are preferably binary operations, 
and the nodes comprising expressions are preferably generated with a first and a second pointer so as 
to be able to point at two other nodes, the second pointer being used, if the expression, given a set of 
variable values, is true, and the first pointer if the expression is false. 

A number of methods exist for altering thus generated data structures in order to prepare the structures 
for certain analyses. 

A first such method to existentially quantify out a variable is one comprising the steps of 

a) identifying all paths leading from a root to a "true" terminal node, 

b) for each path, constructing a difference bound matrix obtained from a combined expression ob- 
tained by, for each node entered in the path, the expression therein having to provide the outcome 
corresponding to the pointer of the node pointing to the next node, 

c) solving the all pairs shortest path problem for each difference bound matrix, 

d) removing in each matrix the row and column corresponding to a predetermined variable, 

e) constructing a path from each matrix, and 

f) combining all the paths by a disjunction using the above more general method using Boolean 
operators. 

In this manner, a variable may be removed from the system in order to remove the constraints thereon. 
This may be interesting for use in e.g. an assignment. 

Preferably a path is obtained from each matrix by a method where the construction step comprises, for 
each entry in the matrix, generating a node having a difference constraint corresponding to the vari- 
ables of the row and column and the constant of the entry, and subsequently combining the resulting 
nodes by conjunction. 

Especially advantageous is a method where the solving step comprises, for each matrix, solving 
the difference bound matrix by the algorithm of Floyd- Warshall performing only relaxation steps 
involving the predetermined variable. 



12 



WO 00/13113 



PCT/DK99/004S6 



Another, often more efficient, method for existentially quantifying out a variable comprises the steps 
of: 

a) determining a variable, 

b) generating a new data structure by: 

• if the data structure is a terminal node then the result is said terminal node, 

• if the lowest order node of the data structure does not comprise an expression containing the 
variable, 

- generating a first new data structure from the data structure pointed to by the first pointer 
of the node by performing step b), 

- generating a second new data structure from the data structure pointed to by the second 
pointer of the node by performing step b), 

- generating a new node having an expression identical to the expression of the node, 

- having the new node's first pointer point at the first new data structure, 

- having the new node's second pointer point at the second new data structure, 

• if the lowest order node of the data structure comprises an expression containing the variable, 

- generating a first new data structure from the data structure pointed to by the first pointer 
of the node by performing a relaxing step with the negation of the node's expression as 
the constraining expression and then performing step b), 

- generating a second new data structure from the data structure pointed to by the second 
pointer of the node by performing a relaxing step with the node's expression as the 
constraining expression and then performing step b), 

- generating the resulting data structure as the disjunction of the first and the second new 
data structure. 

A new data structure can then be obtained and used for further analysis. 

The relaxing step with a given variable and a constraining expression which is either a lower or an 
upper bound on the variable, is preferably carried out by a method generating a new data structure by: 

a) • if the data structure is a terminal node then the result is said terminal node, 

• if the lowest order node of the data structure comprises an expression containing the variable, 
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- generating a first new data structure from the data structure pointed to by the first pointer 
of the node by performing step a), 

- generating a second new data structure from the data structure pointed to by the second 
pointer of the node by performing step a), 

s - if the constraining expression is an upper bound on the variable and the expression of 

the node is also an upper bound on the variable, 

* constructing a new expression without the variable obtained by combining conjunct- 
ively the constraining expression and the negation of the expression of the node, 

* generating the resulting data structure as the disjunction of 

10 • the negation of the expression of the node conjuncted with the first new data 

structure and the new, and 

• the expression of the node conjuncted with the second new data structure, 

- if the constraining expression is an upper bound on the variable and the expression of 
the node is a lower bound on the variable, 

15 * constructing a new expression without the variable obtained by combining con- 

junctively the constraining expression and the expression of the node, 

* generating the resulting data structure as the disjunction of 

• the negation of the expression of the node conjuncted with the first new data 
structure, and 

20 • the expression of the node conjuncted with the second new data structure and the 

new expression, 

- if the constraining expression is a lower bound on the variable and the expression of the 
node is an upper bound on the variable, 

* constructing a new expression without the variable obtained by combining con- 
2s junctively the constraining expression and the expression of the node, 

* generating the resulting data structure as the disjunction of 

• the negation of the expression of the node conjuncted with the first new data 
structure, and 

• the expression of the node conjuncted with the second new data structure and the 
30 new expression, 

- if the constraining expression is a lower bound on the variable and the expression of the 
node is also a lower bound on the variable, 
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* constructing a new expression without the variable obtained by combining conjunct- 
ively the constraining expression and the negation of the expression of the node, 

* generating the resulting data structure as the disjunction of 

• the negation of the expression of the node conjuncted with the first new data 
structure and the new expression, and 

• the expression of the node conjuncted with the second new data structure, 

• if the lowest order node of the data structure does not comprise an expression containing the 
variable, 

- generating a first new data structure from the data structure pointed to by the first pointer 
of the node by performing step a), 

- generating a second new data structure from the data structure pointed to by the second 
pointer of the node by performing step a), 

- generating a new node having an expression identical to the expression of the node, 

- having the new node's first pointer point at the first new data structure, 

- having the new node's second pointer point at the second new data structure. 

Using this method of relaxing a variable with respect to a given constraint a modified data structure 
can be obtained which can be used for further analysis. 

Another method for removing a variable from the data structure comprises 

• interchanging the terminal nodes "true" and "false", 

• removing the variable using one of the methods above for performing existential quantification, 

• interchanging the terminal nodes "true" and "false". 

Using this method a variable can be universally quantified away from the data structure resulting in 
a data structure representing possible solutions to the remaining variables that are independent of the 
values of the chosen variable. This allows for the analysis of dependencies among variables in the 
data structure. 

A method which is especially useful when using the data structure to represent relations and predicates 
which must be applied on different expressions is a method for replacing, in the data structure, a first 
variable x with the sum of a second, different variable y and a constant c comprising: 
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. constructing a second data structure by conjugating the initial data structure with a data struc- 
ture comprising a conjunction of a first node comprising a difference constraint relating to 
x - y < c, and a second node comprising a difference constraint relating to x - y > c, 

. combining the first and the second data structures by the Boolean operation of conjunction, 

• removing x using one of the above methods. 

When modeling dynamically changing systems it is important to be able to change the values of the 
variables within the data structure. This can be done advantageously by a method for replacing, in 
the data structure, a first variable x with the sum of a second, different variable y and a constant c 
comprising: 

• removing x from the data structure, 

. constructing a second data structure by conjugating the initial data structure with a data struc- 
ture comprising a conjunction of a first node comprising a difference constraint relating to 
x-y < c, and a second node comprising a difference constraint relating to x - y > c, 

• combining the first and the second data structures by the Boolean operation of conjunction. 

In the special situation where the desired change to a variable is an increment or decrement of the 
value of that variable an efficient and advantageous method comprises: 

. in each expression comprising a predetermined variable, replacing the variable by the same 
variable added with a predetermined constant. 

In many applications it is essential to be able to determine the maximum and minimum bounds on all 
variables in a data structure. A method for achieving this comprises: 

• identifying all paths leading from a root to a "true" tenninal node, 

• for each path, constructing a difference bound matrix obtained from a combined expression 
obtained by, for each node entered in the path, the expression therein having to provide the 
outcome corresponding to the pointer of the node pointing to the next node, 

5 • solving the all pairs shortest path problem for each difference bound matrix, 
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• generating a maximum matrix from the difference bound matrices and having the same dimen- 
sions as the difference bound matrices by, for each entry in the maximum matrix, selecting the 
largest value in the difference bound matrices relating to the same entry, and 

• obtaining information from the maximum matrix. 

Using this method minimum and maximum delay times can be computed in for instance timed sys- 
tems. 

Often some of the nodes in a data structure are redundant. It can therefore be advantageous to reduce 
the data structure. When the nodes contain difference constraints, one such method for removing 
infeasible paths from a data structure comprises: 

• for each path in the data structure from a root node to a terminal node: 

- for each node in the path, determining whether a set of variable values exists fulfilling 
a combined expression obtained by, for each node between the root node and the actual 
node, the expression therein having to provide the outcome corresponding to the pointer 
of the node pointing to the next node, and if no such set of variable values exists removing 
the pointer in the path pointing to the actual node. 

Preferably, the determining step is performed according to the Bellman-Ford algorithm where, for 
each node in the path, information relating to the nodes already visited is stored and re-used in sub- 
sequent nodes. 

When the nodes contain more general expressions a preferred method for removing infeasible paths 
from a data comprises: 

• for each path in the data structure from a root node to a terminal node: 

• for each node in the path, determining whether a set of variable values exists fulfilling a com- 
bined expression obtained by, for each node between the actual node and the root node, the 
expression therein having to provide the outcome corresponding to the pointer of the node 
pointing to the next node, 

• removing the pointer in the path pointing to the actual node, wherein the determining step is 
performed using linear real prograrnming, such as the simplex algorithm, or using integer linear 
programming. 
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In applications where it is particularly important to get a fully reduced data structure a method can be 
applied, comprising the steps of: 

a) identifying all paths leading from a root to a "true" terminal node, 

b) for each path, constructing a difference bound matrix obtained from a combined expression ob- 
tained by, for each node entered in the path, the expression therein having to provide the outcome 
corresponding to the pointer of the node pointing to the next node, 

c) solving the all pairs shortest path problem for each difference bound matrix, 

d) constructing a path from each matrix by expressing the bounds of each entry as difference con- 
straints on the variables corresponding to the entry and forming the conjunction of the difference 
constraints, and 

e) generating an amended data structure by combining all the paths by a disjunction, and 

f) for each node in the amended data structure in each path from the root to a "true" terminal node: 

g) determining an initial expression from a combination of the expressions of the nodes in the path 
between the root and the actual node, 

h) determining a conjunctive combination between the initial expression and an expression obtained 
by a disjunction between the data structures pointed at by the two pointers of the node, 

i) determining a conjunctive combination between: 

• the initial expression and 

• a disjunction between 

- a conjunction between the expression of the actual node and the data structure pointed 
at by the pointer representing a fulfillment of the expression of the node, 

- a conjunction between the negation of the expression of the actual node and the data 
structure pointed at by the pointer representing a non-fulfillment of the expression of 
the node, 

j) if the variable values fulfilling the combination h) and the combination i) are identical, replacing 
the actual node by the disjunction between the data structures pointed at by the two pointers of the 
actual node. 
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Having constructed a data structure it can be analyzed in order to determine properties of the system 
modeled by the data structure. One such very useful method assesses whether there exists any set of 
values for the variables that when starting in a root of the structure, would result in a path ending in a 
predetermined terminal node, the method comprising: 

• inspecting whether the data structure consists of one terminal node only, 

• if so, a positive answer is returned, if the only terminal node is the predetermined terminal node, 
and a negative answer is returned, if the only terminal node is not the predetermined terminal 
node, 

• if not, a positive answer is returned. 

Using this method it can be determined for instance whether a data structure has no solutions or 
contains all assignments of values for the variables as a solution. By building the data structure to 
reflect comparison of two systems, or the implication between a system and a property, this method 
makes it possible to decide whether two systems are equivalent or a given system satisfies a given 
property. In analyzing any of the earlier mentioned application areas, this is an essential and highly 
useful method. 

An example of an assignment of values to variables leading to a given terminal node can be obtained 
automatically on a data structure with no infeasible paths by a method comprising: 

• starting in the root of the structure and repeating the step of: 

- if the first pointer of the node points to a terminal node different from the predetermined 
terminal node, selecting the node pointed to by the second pointer, otherwise selecting the 
node pointed to by the first pointer, 

• if the predetermined terminal node is found: 

- constructing the path from the root to the terminal node and deriving a combined ex- 
pression obtained by, for each node entered, the expression therein having to provide the 
outcome corresponding to the pointer of the node pointing to the next node, and 

- solving the combined expression and deriving a set of values of the variables in the solu- 
tion. 
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Another useful method to analyze a data structure assesses whether a given set of values for the 
variables when starting in a root of the structure, would result in a path ending in a predetermined 
terminal node, the method comprising: 

• starting in a predetermined root of the structure and repeating the step of: if the node is a 
terminal node, returning the contents of the terminal node, otherwise, evaluating the expression 
of the node according to the set of variable values and continuing with the node pointed at by 
the pointer corresponding to the outcome of the expression. 

Using this method it can efficiently be decided whether an assignment of values to the variables 
results in any particular value in the data structure, thus to determine for instance whether the system 
modeled contains a known undesired, or desired, state. 

Timed automata is a popular model of timed systems. These can be advantageously analyzed using 
the data structure of this document by generating a data structure for analyzing a system modeled by 
timed automaton having a number states and clocks, wherein: 

step a) comprises: 

- determining a first set of variables to be used for the encoding of the states, 

- determining a second set of variables to be used for the clocks, 

step b) comprises: 

- identifying transitions between states, a transition comprising a starting state, an ending 
state, a requirement to be fulfilled in order to enable the transition to take place, an action 
(updating the variables, advancing time, etc.) to be performed when the transition takes 
place, and a requirement of the clocks to be fulfilled after the transition has taken place, 

step d) comprises: 

- for each transition, generating a data structure representing the requirement to be fulfilled 
in order for the transition to be enabled, 

step e) comprises: 

- constructing a data structure representing the set of reachable states by: 

- constructing a data structure R representing a set of initial states of the automaton, 

- repeatedly: 
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* selecting a transition, 

* generating an amended data structure R' by conjugating the data structure represent- 
ing the requirement of said selected transition with R, 

* generating an amended data structure R" by, in R', updating variables in accordance 
with the actions of the transition, 

* assigning R as the disjunction of R and R", 
until R is unchanged for all transitions, 

where after inquiries may be made as to the existence of predetermined states of the automaton using 
any of the above methods. 

Even more complex systems can be modeled and analyzed by a concurrent system of timed automata. 
These systems can be analyzed by generating a data structure for analyzing a concurrent system 
modeled by a composition of a number of timed automata each having a number of states and clocks, 
wherein: 

step a) comprises: 

- determining a first set of variables to be used for the encoding of the individual states of 
the automata, 

- determining a second set of variables to be used for the individual clocks of the automata, 

- determining a third and fourth set of variables to be used for encoding the new values of 
the variables from the first and second set such that there is a one-to-one correspondence 
between the variables in the first and third set, respectively in the second and fourth set, 

step b) comprises: 

- identifying non-idling transitions between states, a non-idling transition comprising a 
starting state, an ending state, a requirement to be fulfilled in order to enable the transition 
to take place, an action to be performed when the transition takes place, and a requirement 
of the clocks to be fulfilled after the transition has taken place, 

- identifying idling transitions from a state to itself, comprising a requirement to be fulfilled 
when none of the requirements of the non-idling transitions are fulfilled on that state, an 
empty action, and a requirement of the clocks to be fulfilled after the transition has taken 
place, 

step d) comprises: 
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- for each transition, generating a data structure over the four set of variables, represent- 
ing a relation expressing the requirement to be fulfilled in order for the transition to be 
enabled using the first two set of variables, expressing the action to be performed when 
the transition takes place using the third and fourth set of variables, and expressing the 
requirement of the clocks using the third and fourth set of variables, 

- generating a data structure A representing the advance time predicate using variables from 
the second and fourth set of variables, 

- constructing a data structure T representing the set of transitions by: 

* defining a data structure T as a terminal node representing "true", 

* for each automaton: 

• defining a data structure U as a terminal node representing "false", 

• for each transition of the automaton, assigning to U the disjunction of U and the 
selected transition, 

■ assigning to T the conjunction of T and U, 

* assigning to T the disjunction of the advance time predicate A and T, 

step e) comprises: 

- constructing a data structure representing the set of reachable states by: 

* constructing a data structure R representing a set of initial states of the automata, 

* repeatedly: 

• generating a data structure R' by conjugating T and R, 

• generating a data structure R" by quantifying out all variables from the first and 
second set of variables, 

• generating a data structure R'" by replacing all variables from the third and fourth 
set of variables with the corresponding variable for the first and second set, 

• assigning to R the disjunction of R and R'", 
until R is unchanged, 

where after inquiries may be made as to the existence of predetermined states of the automata. 

Timed Petri nets is another popular model of timed concurrent systems. These systems can be ana- 
lyzed by a data structure using a method that from a timed Petri net, which has a number of transitions 
and states, each state having a clock and an associated time delay interval, constructs the data structure 
with a method comprising the steps of: 
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step a) comprises: 

- determining a first set of variables to be used for the encoding of the states, 

- determining a second set of variables to be used for the clocks, 

step b) comprises: 

- identifying transitions between states, a transition comprising a starting state, an ending 
state, and a requirement to be fulfilled in order to enable the transition to take place, the 
identified transitions possibly including a transition that advances time, 

step d) comprises: 

- for each transition, generating a data structure representing the requirement to be fulfilled 
in order for the transition to be enabled, 

step e) comprises: 

- constructing a data structure representing the set of reachable states by: 

* constructing a data structure R representing an initial state of the Petri net, 

* repeatedly: 

■ selecting a transition, 

• generating an amended data structure R! by conjugating the data structure rep- 
resenting the requirements of selected transition with R, 

• generating an amended data structure R" by, in R', updating variables in accord- 
ance with the actions of the transition, 

• assigning R as the disjunction of R and R", 
until R is unchanged for all transitions, 

where after inquiries may be made as to the existence of predetermined states of the Petri net using 
any of the methods above. 

The data structure thus generated can be used for analysis by any of the above methods. 

A third popular model for analyzing a system uses min/max/linear constraints, the model having a 
number of nodes, each either being a "max" node, a "min" node or a "linear" node, and a number of 
constraints each pointing from one node to another, each constraint representing a time interval. This 
model can be analyzed by building a data structure with a method comprising the steps of: 
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step a) comprises: 

- determining a set variables, one for each node, 
step b) comprises: 

- identifying constraints between nodes, a constraint comprising a starting node, an ending 
node, and a time delay, 

step d) comprises: 

- for each node, generating a data structure by representing a relation between the actual 
node, the nodes from which constraints point to the actual node, time intervals of those 
constraints, and the type of the actual node (min, max, or linear), 

step e) comprises: 

- constructing a data structure by performing the conjunction of the data structures gener- 
ated in step d). 

This method is particularly useful if the terminal nodes are adapted to represent "true" or "false", and 
the inequalities in the nodes are difference constraints. Information on the model can then be obtained 
the data structure using any of the above methods. 

In economic models, planning problems, and various optimization problems the solution is expressed 
as Boolean combinations of linear inequalities. Such models can be analyzed by constructing a data 
structure and analyze it using any of the above methods. The construction can be performed by a 
method comprising the steps of: 

• determining the linear inequalities, 

• defining a number of different expressions, each comprising a linear inequality, and 

• combining the data structures using the method for computing Boolean operators. 

Inquiries to the data structure can then be obtained by any of the above methods. 

Embedded systems, fault-tolerant systems, safety-critical systems, and concurrent compositions of 
any such systems can be advantageously analyzed by making a model using timed automata, timed 
Petri nets, or min/max/linear constraints models and proceed with one of the above methods for 
constructing a data structure from the model. 
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Furthermore, a range of other important problems can be addressed with the data structure. One 
example is the interface timing between two components which can be verified using a method com- 
prising: 

• modeling the interface timing of the two components or systems using a min/max/linear con- 
straint model, 

• analyzing the model according to the any of the above methods. 

Another example is in the analysis of economical systems, operations research systems, transport 
systems, or planning problems, with a method comprising: 

• modeling the system or problem using Boolean combinations of linear inequalities, 

• analyzing the model according to any of the above methods. 

A third example is for the analysis of the timing behavior of a combinational circuit, with a method 
comprising: 

• modeling the gates of the circuit using a min/max/linear constraint model, 

• analyzing the model according to any of the above methods. 

A fourth example is the analysis of the timing behavior of combinational parts of a sequential circuit, 
with a method comprising: 

• modeling the gates of the parts of the circuit using a min/max/linear constraint model, 

• analyzing the model according to any of the above methods. 

A fifth example is the analysis of the timing behavior of an asynchronous circuit, the method com- 
prising: 

• modeling the gates of the circuit using a timed Petri net, 

• analyzing the model according to any of the above methods for Petri nets. 

A sixth example is for analyzing a sequential or concurrent computer program, the method comprising 
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• modeling statements, such as assignments or conditional guards, as expressions containing 
inequalities in a data structure as defined earlier, 

• achieving a model of the full program by: 

- combining the models of the individual statements, using manipulation algorithms com- 
prising Boolean operators, quantifiers and/or substitutions, according to any of the above 
methods, 

- constructing a data structure R representing an initial state of the program, 

- repeatedly: 

* selecting a statement, 

* generating an amended data structure R! by conjugating the data structure represent- 
ing the requirements of selected statement with R, 

* generating an amended data structure R" by, in R', updating variables in accordance 
with the actions of the statement, 

* assigning R as the disjunction of R and R", 
until R is unchanged for all statements, 

• analyzing the program by analyzing R using any of above methods. 

The preferred embodiment of the invention is a program for a computer, the program performing any 
of the methods above and storing the data structure in its memory or on its disk. 

In the following, a preferred embodiment of the generation of the data structure as well as a preferred 
embodiment of the use thereof is described in relation to the drawings, wherein: 

Figure 1 shows Milner's scheduler — a small example of a protocol for starting and detecting termin- 
ation of N tasks. 

Figure 2 shows a DDD for the expression tj> = l<x-z<3 A (y - z>2 V y - x > 0) . 

Figure 3 shows an (x, y)-plot for the DDD in Figure 2 for z = 0. 

Figure 4 shows the runtimes for Milner's scheduler. 

Figure 5 shows an example of a timed automaton (used in Example 3). 

Figure 6 shows a DDD for the expression X2 - xi < 0. 

Figure 7 shows a DDD for the expression x-i - x\ < 0. 
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Figure 8 shows a DDD for the expression x-i - x\ = 0. 
Figure 9 shows a DDD for the expression x-i — xi > 0. 
Figure 10 shows a DDD for the expression x<i - x\ > 0. 
Figure 11 shows a DDD for the expression X2 - xi ^ 0. 
Figure 12 shows a graph with a negative- weight cycle. 

Figure 13 shows an (x, y)-plot of 3x.<p for z = 0 (for the expression § in Figure 2). 
Figure 14 shows a DDD for 3x.<f> (for the expression <j> in Figure 2). 

In Annex A, preferred embodiments are given for a number of algorithms for generating, amending, 
and reducing the present data structure as well as for deriving information relating to the systems 
modelled thereby. These algorithms are: 

Algorithm 1: Mk. Create a node corresponding to the ITE expression x - y < c -¥ h, I. 

Algorithm 2: MkNorm. Crete a node where the variables not necessarily are normalized. 

Algorithm 3: MkDiffCstr. Create a difference constraint of the form x - y ~ c, where ~ is one of 
(<.<,=-?«,>,>}. 

Algorithm 4: APPLY. Combine two DDDs with a Boolean operator. 
Algorithm 5: Not. Negate a DDD. 

Algorithm 6: FEASIBLE. Determine whether a constraint system has a feasible solution using the 
Floyd-Warshall algorithm. 

Algorithm 7: REDUCE. Path-reduce a DDD. 

Algorithm 8: Feasible'. Determine whether a constraint system has a feasible solution using an 
incremental version of Bellman-Ford's algorithm. 

Algorithm 9: InsertCstr. Insert a constraint in list keeping it squeezed. 

Algorithm 10: Unsatisfiable, Tautology, Satisfiable, Falsifiable, Equivalent, Con- 
sequence. Determine functional properties of a DDD based on REDUCE. 

Algorithm 11: AllInfeasible. Determine whether all 0- or 1-path in a DDD are infeasible. 

Algorithm 12: ExistsFeasible. Determine whether some 0- or 1-path in a DDD is feasible. 
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Algorithm 14: UNSATISFIABLE, TAUTOLOGY, SATISFIABLE, Falsifiable. Determine functional 
properties of a DDD based on ALLlNFEASlBLE and ExiSTSFEASIBLE. 

Algorithm 15: Anysat. Create a satisfying variable value assignment for a DDD if it is not unsatis- 
fiable. 

Algorithm 16: EXISTS. Existential quantification of a variable in a DDD. 

Algorithm 17: Relax. Relaxation of a DDD with a difference constraint. 

Algorithm 18: Forall. Universal quantification 

Algorithm 19: ASSIGN. Assignment operator 

Algorithm 20: INCREMENT. Increment operator 

Algorithm 21: Replacement. Replacement operator 

Algorithm 22: Hull. Convex hull of a DDD. 

Algorithm 23: MERGE. Merge all disjunctive vertices in a DDD. 

Analyzing Concurrent Systems (Overview) 

The following first part of the description illustrates the basic features of the invention by means of 
simple terms and accompanying figures. The second part to follow will deal with the theoretical 
background of the invention in more detail. The detailed second part is directed towards an example 
of the invention described as Difference Decision Diagrams. It should nevertheless be emphasized 
that the invention can be utilized for any system which can be modeled using Boolean combinations 
of relational expressions. 

To analyze a system, such as a digital circuit or embedded software, the system needs to be modeled 
mathematically. The mathematical model can then be rigorously scrutinized either by a human or, 
more practically, by a computer program. The invention described herein is used to efficiently analyze 
a system through a mathematical model and thereby obtain answers to questions such as whether the 
system can reach an erroneous state or whether the model may reach a preferred state. 

Timed guarded commands is an example of a mathematical notation used to model concurrent sys- 
tems. A timed guarded command program consists of a number of timed guarded commands which 
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have the form 

g -> v := d 

where g is a guard (a Boolean predicate) and v := d is a multi-assignment of n constants in d to n 
variables in x. The constants and variables may be Booleans, integers or reals. Timed guarded com- 
mands are a powerful notation for modeling concurrent systems which contain non-Boolean domains. 
Popular models such as timed Petri nets and timed automata can be represented in a straightforward 
manner by a timed guarded command program. 

Referring now to Fig. 1, a small example is described in order to illustrate the key aspects of the 
invention. The example is a model of a concurrent system called Milner's scheduler. The scheduler 
consists of N cyclers, connected in a ring, cooperating on starting and detecting termination of N 
tasks (these tasks are not further described). The scheduler must make sure that the N tasks are 
always started in order but they are allowed to terminate in any order. This is one of the properties 
that has to be shown to hold for the model. The cyclers attempt at fulfilling this by passing a token: 
the holder of the token is the only process allowed to start its task. 

All cyclers are similar except that one of them has the token in the initial state of the system. We 
associate three Boolean variables Cf, hi, and t{ with each cycler and use a global clock H to ensure 
that a cycler passes the token on to the following cycler within a bounded amount of time given by the 
interval [H l , H u \. This clock is modeled using a real-valued variable in the timed guarded command 
program. The variable c,- is used to denote whether the token is available for task i, variable hi denotes 
whether cycler i has the token, and U denotes whether the task is running. The i th cycler is described 
by two timed guarded commands and the task is modeled by a third guarded command: 

CiA-*U — ► H,ti,Ci,hi := 0, true, false, true 

hi AH 1 <H < # u -> c (i ^ N)+1 ,h { := true, false 
ti -4 U := false . 

The first timed guarded command expresses that if the token is available for the i th cycler (cj = true) 
and the i th task is not running (ti = false), then the token clock is reset (H := 0), the i th task is 
started (U := true) and the cycler grabs the token (c,- := false and hi := true). The second command 
expresses that if the cycler has the token (/i £ = true) and the clock H is within the interval [H l , H u ], 
then the token is passed on to the next cycler in the ring. The third guarded command expresses that 
the task may terminate at any point if it is running. 
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To complete the model of the scheduler, a timed guarded command for advancing time is needed. 
Such a command increments the clock H with some arbitrary positive amount 5: 

true -> H := H + 5 . 

Notice that since the right-hand side of the assignment is not a constant value and 6 furthermore rep- 
resents an arbitrary value, the above guarded command cannot be written down explicitly as a timing 
guarded command. Below, it is shown in detail how the advance time commands are represented. 

To answer questions such as whether it always is the case that at most one cycler has the token, one 
needs to analyze the set of reachable states of the system. A single state is a pair (s,v) where s 
is a discrete state and v is the associated timing information (a clock assignment). For example, a 
state of a scheduler with N = 2 could be that cq = true, and the five other Boolean variables (ho, 
to, c\, h\, and fi) all are false and the associated timing information is that clock H has the value 
3.1415135. This state is thus represented by (s,v) where s = (true, false, false, false, false, false) 
and v = (3.1415927). To check a given property, one can determine the set of all states reachable 
from the initial state of the system. This set is denoted R. Observe that R is not a finite set since the 
clock H is modeled using a real-valued variable: for example R may contain infinitely many states 
(s, v) where H is between 0.1 and 0.2. 

To analyze timed systems, clock valuations are grouped into sets. This allows the state space of a 
timed system to be represented as a finite set of pairs (s, V) of discrete states and their associated set 
of clock valuations. For example, a set of clock valuations can be represented as V = 0.1 < H < 0.2. 
It turns out that when constructing the set of reachable states, all groups of clock valuations can be 
expressed using the following grammar: 

xp ::= x - y < d \ \ ipi A ip 2 \ i>i V fa , (1) 
where x and y are real-valued clock variables and d is a constant. 

The states of a timed system can be further grouped by combining the discrete state s with the group of 
clock valuations V. This is done by expanding the above grammar to also include Boolean variables: 

V> "= x - y < d | -up | Vi A xfa | ipi V ip 2 I & , 

where 6 is a Boolean variable. Notice that the grammar does not contain inequalities of the form 
x < d. To express such constraints, a new variable z is introduced. This variables denotes "zero" 
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or "current time" and is used to express all constraints of the form x < d as x - z < d. Using the 
z-variables, the set of clock valuations V = 0.1 < H < 0.2 is expressed in the above grammar as 
z-H < -0.1 AH - z <0.2. 

The discrete state is combined with the timing information by expressing the discrete state using the 
Boolean variables and combine the information using conjunction: 

(c 0 A ->ho A --to A -rcy A ->/ii A -rfi) A (z - H < -0.1 A H — z < 0.2) . 

Assume two states (s, V) and (s 1 , V) are both represented using formulas <fi and <f>' as just described. 
The formula <j> V <j>' is then a formula that represents the set of states {(s, V), (s 1 , V')}. This way of 
representing sets of states using formulas makes it possible to construct the set of reachable states by 
manipulations of formulas. The set of reachable states R is computed using the following algorithm 
(a standard fixed-point iteration): 

Q <- tf>o 
R<-Q 

while Satisfiable(Q) do 
Q' <- Next(Q) 
Q +- Q' A -vR 
R*-RVQ 

The initial state of the system is represented by the formula 4>q. The formula Q represents the 
"frontier" of the states, i.e., the set of newly discovered states. The formula R represents the set 
of reachable states of the system. The procedure Satisfiable determines whether a given formula 
is satisfiable, i.e., whether there exists values for the variables which makes the formula true. The 
procedure Next(^) determines a formula representing the set of states reachable by executing any 
timed guarded command or advancing time from a state satisfying (p. This procedure is described in 
detail in the following. 

The efficiency of the above algorithm is determined by how efficiently one can represent the formulas 
Q and R and how efficiently one can implement the procedures Satisfiable(Q) and Next(Q). 
The invention described herein provides a compact data structure for representing formulas of the 
above form and provides efficient algorithms for implementing the procedures Satisfiable(<3) and 
Next(<2). Thus, in an embodiment the invention enables a highly efficient analysis of timed systems. 

The data structure "difference decision diagrams" (DDDs) is an example of an embodiment of the 
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invention. A DDD is a directed acyclic graph with two terminals 0 and 1 and a set of non-terminal 
nodes. Each non-terminal node in a DDD comprises a test expression (a difference constraint) and has 
two outgoing pointers called the high- and low-branch which are drawn with solid and dashed lines, 
respectively. The high-branch is followed when the test expression evaluates to true; the low-branch 
when the test expression evaluates to false. 

As an example of a DDD consider the following expression ^ over x, y and z: 
ip=l<x-z<3 A {y- z>2 V y - x > 0) . 

Figure 2 shows a DDD for the formula V>> and Fig. 3 shows the values of x and y for which i/j is true. 

The invention provides methods for performing the operations needed in the procedures Satis- 
FlABLE(Q) and Next(Q). One method describes how to construct the DDD for the formula <p\ © fa 
where © is an arbitrary binary Boolean operator and given DDDs for the formulas <pi and fa- Another 
method describes how to construct the DDD for the formula Bx.(f> given the variable x and a DDD 
representing the formula <j>. Finally, the invention provides methods for determining whether a given 
DDD represents a satisfiable formula. These methods are all described in detail in the following. 

Returning to the scheduler example, the set of reachable states has been constructed for an increasing 
increasing number of cyclers, N, using the above algorithm. The results are shown in the Fig. 4. The 
first column shows the number of cyclers, and the following three columns show the CPU time (in 
seconds) to build the reachable state space using the current tools KRONOS and UPPAAL. The last 
column shows the CPU time for constructing the set of reachable states when using an embodiment 
of the invention (for example DDDs). The results were obtained on a Pentium II PC with 64 MB 
of memory. A denotes that the analysis did not complete within an hour. Clearly, the invention 
enables a dramatic improvement in the size of systems that can be analyzed compared with current 
state-of-the-art tools. 

After constructing the set of reachable states R, it is straightforward to determine properties of the 
system. For example, to determine whether a state exists in which both cycler i and j (i ^ j) hold 
the token, the DDD for the formula R A hi A hj is construct. If and only if this formula is satisfiable 
does there exists reachable states in which both cyclers have the token. Similarly, to test whether a 
property P holds in all states, the DDD for the formula R A -».P is constructed. If and only if this 
formula is satisfiable does there exists a state in which P does not hold. More general properties can 
also be determined with the methods described by this invention — this is further explained in the 
following. 
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Analyzing Timed Systems (Detailed Description) 

In the following a detailed description of how to analyze timed system modeled as guarded commands 
is given. 

A timed guarded command program G comprises a tuple (B, C, T, 7), where B is a set of Boolean 
variables, C is a set of continuous variables called clocks, T is a set of timed guarded commands, 
and /is a state invariant. A timed guarded command t € T has the form g ->■ v := d, where g is a 
guard and v .— d is a multi-assignment of n constant values d e (B U K) n to Boolean variables and 
clocks v e (B U C) n . Guards and state invariants are expressions (f> constructed from the following 
grammar 

4> ::= false | true [ x ~ d \ x - y ~ d \ b \ -x/> \ fa A<fa \ 3b.<p \ 3x.<f> , (2) 

where x,y e C are clocks, 6 € B is a Boolean variable, d € R is a constant, and ~ is a relational 
operator from {<, <,-,#,>, >}• The symbols -. (negation), A (conjunction) and 3 (existential 
quantification) have their usual meaning. 

Example 1 An example of a program is G - ({6}, {x, y},T, I), where T contains the two guarded 
commands 

b A (1 < i < 3) -4- b := false 
b A (7 < x < 9) -> b,y := false.O 

and the state invariant is J = (6 =*> (x < 9)) A (->b =£> (x ^ 5)) . 
Transitional Semantics of Timed Guarded Commands 

A state of the program G = {B, C, T, I) is an interpretation (i.e., a value assignment) of the Boolean 
variables and the clocks. For each Boolean variable b € B, s(b) € B denotes the interpretation of b 
in the state s, and for each clock x eC,s(x) 6 R denotes the interpretation of x in the state s. The 
notation s[x := y + d] is used to denote the state s' equivalent to s except that s'(x) = s(y) + d. A 
state (and sets of states) can be represented by an expression </> of the form (2). The state s satisfies 
an expression fa written s f= fa if $ evaluates to true in the state s, and [<pj denotes the set of states 
that satisfy fa 

The semantics of a timed guarded command program G — (B , C,T, I) is a transition system (<S,-+), 
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where S is the set of states of the program, and -> is the transition relation. In each state, the program 
can either execute a command t € T if its guard is true (a discrete transition) or let time pass 5 time 
units (a timed transition). Executing a command changes the value of some or all of the variables 
(according to the multi-assignment), and letting time pass uniformly increases the values of all clocks 
5 by 6. The notation s -4 s' is used for a discrete transition from the state s to s' obtained by executing 
the command t, and the notation s -4 s' for a timed transition obtained by increasing all clocks by 
S. The discrete transition -4 for a timed command t e T of form g v := d is defined by the 
following rule: 

s (= g s[v := d] \= I 

' r- Ji • (3) 

s -»• s[v := d\ 

io The timed transition -4 for advancing all clocks by 6 is defined by the following rule: 

6 > 0 VJ'.O < 6' < 6 : s[c:= c + 6'} \= I 

"= ~s ~ 7 ~ — • W 

6 -)■ sic := c + <5] 

where S, 6' G K, c denotes a vector of all clocks in C, and c + 8 denotes the vector where 5 is added 
to the clocks in c. 



Example 2 Consider the timed guarded command program G from Example 1 and let s be a state 
is satisfying ->b A (x < 5). There are infinitely many timed transitions from s in the transition system 
for G, but none of these timed transitions leads to a state where x > 5 because the state invariant 
->b (x 7^ 5) must hold continuously. 



Encoding Timed Automata 

Timed guarded command programs can be used to model popular notations for timed systems such as 
20 timed automata. A timed automaton over a set of clocks consists of a set of locations, a set of events, 
and a set of timed transitions. Each location is associated with a location invariant over the clocks, 
and each timed transition from location I to location /' is labeled with an event a and has a guard g 
over the clocks. Furthermore, each of the timed transitions has a set of clocks {c} to be reset when 
the timed transition is fired: 

& {<•} 

A timed automaton can be encoded as a timed guarded command program. Each location is encoded 
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as a Boolean variable. In a shared variable model as ours, the presence of an event from an alphabet 
E can be modeled by a global event variable e taking on any of the values in E. This variable can for 
instance be encoded using a logarithmic number of Boolean variables. Each timed transition in the 
automaton corresponds to a timed guarded command: 

I A e a Ag c := false, true, 0 . 

The guard of the command is the guard of the timed transition g conjoined with the source location / 
of the timed transition and a condition e a requiring the event variable e to have the value a € E. The 
multi-assignment assigns false to the source location / and true to the destination location /' of the 
timed transition and resets the relevant clocks. 

Example 3 Figure 5 shows an automaton over the clocks {x, y) with two locations and two timed 
transitions. Encoding this automaton as a timed guarded command program yields the program G 
from Example 1 when ignoring the event a and encoding the two locations li and li logarithmically 
using a Boolean variable 6. 

Analyzing Timed Guarded Commands 

To verify properties of a timed guarded command program G = (B,C,T,I), the corresponding 
transition system (S, ->) is analyzed symbolically. That is, given a set of states represented by a 
formula tp, one determines a formula that represents the set of states reachable by executing timed 
guarded commands according to the inference rule (3) or by advancing time according to the inference 
rule (4). In the following it is shown that this formula is obtained by manipulations entirely within 
the logic (1). 

Any expression <f> generated by the grammar (2) can be represented by a difference constraint expres- 
sion <p z of the form (1). The expression <j> z is obtained by introducing a new variable z (denoting 
"zero") and performing the following three steps: First, encode each Boolean variable 6j € B in <f> 
as a difference constraint Xj - x' { < 0, where Xj, x\ € C are clocks only used in the encoding of 6j. 
Second, replace each occurrence of a constraint of the form x ~ d in <p with the difference constraint 
x - z ~ d: Third, express each difference constraint of the form x — y ~ d in terms of the relational 
operator <. 

Two useful operators on difference constraint expressions are defined: replacement and assignment. 
Replacement syntactically substitutes all occurrences of a variable x by a variable y plus a constant 
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d in an expression ip, denoted by ip[y + d/x]. If x and y are different variables, the replacement 
ip[y + d/x] can be expressed in the grammar (1) as 3x.(ip A (x - y = d)). Otherwise, tp[x + d/x] is 
defined as ip[t/x][x + djt], where t is a variable different from x and not occurring in ip. Assignment 
gives a variable x the value of a variable y plus a constant d, denoted by ip[x := y + d]. If x 
and y are different variables, the assignment ip[x := y + d] is expressed in the grammar (1) as 
(3x.ip) A {x - y = d). Otherwise, the assignment ip[x := x + d] is defined as ip[x - d/x] (which 
might seem counter-intuitive). Assignment and replacement of Boolean variables are defined in the 
standard way. 

To formally expresses the symbolic manipulations, a useful shorthand is introduced: [ip], is used as 
a shorthand for [3z.(ip A z — 0)J; that is, [^] z is the set of states that satisfy ip when z is equal to 0. 
It is easy to prove that [</>J = {<p z ] z , for any <j>. Eliminating the constraints of the form x ~ d from 
the grammar in (2) makes it possible to add 8 to all clocks simultaneously by decreasing the common 
reference-point z by 6: 

{4>[c := c + S]\ = {<p z [z :=z- 6]j z . (5) 

Furthermore, as will be shown in the following, the set of states reachable by advancing time by any 
value 6 can be computed by an existential quantification of z. 

Reachability Analysis 

Given an expression i/j of the form (1) representing a set of states |^J Z Q an expression represent- 
ing the set of states reachable from l%p] z can be determined. The set of states reachable by firing the 
timed guarded command t from any state in |^J Z is determined by the function NEXTdi Scre te(V'i 
The function restricts ip to the subset where the guard g holds, performs the assignment of the con- 
stants cT to the variables v, and restricts the resulting set to the subset where the state invariant / 
holds: 

NEXTdiscreteWstf —t v := d) = (tp A g 2 )[v := d] A I z , (6) 

where the assignment [v := d] is a shorthand for := z + di for each of the clocks Cj in v and 
hi := di for each of Boolean variables b{ in v. The set of states that can be reached from the set IV>J 2 
by firing any timed guarded command in T is given by: 

NEXTdiscrete WO = V NEXT discrete ( V>, t) . (7) 

teT 
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The z-variable plays a central role when determining the set of states that can be reached from {ipj z 
by firing a timed transition. Time is advanced by changing the reference-point from z to z' with 
z' < z since decreasing the reference-point by S corresponds to increasing the values of all clocks by 
6. Often the system will restrict the valid choices for z' by requiring that the state invariant holds in 
z' and at all intermediate points in time. This is expressed by the predicate 

Pnext = (z' <Z)A I z , A Vz".((z' < z" < z) =► I z „) . 

If the state invariant I z only expresses upper bounds on the clocks, the universal quantification is 
implied by I z i and can be omitted. 

Now, to advance time by 8 in all states [ip] z , the reference-point z is decreased by 5: ip[z := z - 6] 
which can also be written as (3z.(ip A z' = z - S))[z/z']. The set of states reachable from [tpj z that 
also satisfy P next is given by 3z.(ip A (z - z' = S) A P nex ,)[z/z']. Thus, the set of states reachable 
from [^Jj by advancing time by an arbitrary amount is given by 

NEXT timed (V0 = \/ 3z.(V A (z - z' = S) A P next )[z/z'] = 3z.(0 A P M )[z/z!] . (8) 
That is, time is advanced in a set of states by performing a single existential quantification. 

Example 4 If the state invariant is x ^ 5, the predicate P next is given by: 

Pnext = (z' < z) A (x - z' £ 5) A Vz". ((z' < z" < z) => (x - z" ± 5)) 
= (z' < z) A ((x - z' < 5) V (x - z > 5)) . 

Consider the set of states satisfying <f> = (1 < x < 3) V (7 < x < 9). The set of states obtained by 
advancing time from <f> is thus given by [NEXT t i me d(^z)Jz. where: 

NEXT tim ed(0z) = 3z.{4> 2 A P„ext) [z/z'] = (1 < x - Z < 5) V (7 < X - z) . 

A timed guarded command £ € T is called urgent if it is required to fire instantaneously whenever 
the guard becomes true. Modifying P next to handle urgent commands is straightforward: Given a set 
T C T of urgent timed guarded commands, we let U denote the predicate: 

U= V 9. 
g-m-.=der 
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Consider a state s G [^J*. A timed transition s -+ s' can only fire if there are no urgent transitions 
enabled in s. Thus, an additional requirement is added to P nex t ensuring that no urgent transitions are 
enabled when advancing time (except in the endpoint), i.e., the revised P next becomes: 

-Pnext = < Z) A I Z ' A Vz".((z' < z" <Z)^ (I z „ A ->U z n)) . 

If the urgency predicate does not refer to z, P nex t is simplified to 

Pnext = {z' <z)A I z . A Vz".((z' < z" < z) I z „) A ^U z . 

The functions defined in (7) and (8) form the basis for constructing the set of reachable states symbol- 
ically. Let NEXT(V0 be a function which determines the set of states which can be reached by firing 
either a discrete or a timed transition from a state in [ip} z : 

NEXT(^) = NEXT discr ete(V) V NEXT time< , (^) . 

The set of states reachable from \$\ z , denoted REACHABLE(V>), is the least fixed point of the function 
F(X) = ip V Next(AT), which can be determined using a standard fixed-point iteration. Detecting 
that a fixed point has been reached is done by checking that two successive approximations V« and 
ipi+i are semantically equivalent (i.e., that tpi ip i+ i is a tautology). It is well known that there exists 
(contrived) timed systems where the computation of the fixed point does not terminate, for example 
if the difference between two clocks increase ad infinitum. As in the traditional analysis of timed 
automata, it is possible to determine subclasses of timed guarded commands for which termination is 
ensured. 

Example 5 Consider again the program from Example 1. The set of states reachable from 4> = 
b A (x = y = 0) is [REACHABLE(<^ Z )J 2 , where: 

REACHABLE(^) = (bAx = yAx-z<9) 

V (^A((i=yAl<i- 2 <5)V(7<i-y<9A7<i- *))) . 

Symbolic Model Checking 

To perform symbolic model checking, for example of a TCTL formula, the set of states that can reach 
a given set [if)] z needs to be determined. The set of states that can reach [ip] z by firing any timed 
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guarded command g -» v := d in T is given by 

PREV discre te(V<) = V (3^A^rf))A Sz A/ 2 , (9) 

5— >u:=d£T 

where the expression £ = d is a shorthand for a - z = <k for each of the clocks a in t; and 6; ^ d* 
for each of Boolean variables fr< in v. The set of states that can reach by advancing time is 
s determined analogously to the forward case: 

PREV tim ed(» = 3z - (V' A Ppmv) [*/*'] , 

where 

Pprcv = (z < «') A /*< A V*".((z < z" < z') /,«) ■ 
The set of states that can reach a state in ty], by firing either a discrete or a timed transitions is: 

10 PREV(V) = PREV discrete (l/') VPREVtimedW- 

Thus, the set of states that can reach a state satisfying V is constructed as the least fixed-point of the 
function B(X) = ip V Prev(X). Moreover, PREV can be used to perform symbolic model checking 
of TCTL. TCTL is a timed version of CTL obtained by extending the logic with an auxiliary set of 
clocks called specification clocks. These clocks do not appear in the model and are used to express 
„ timing bounds on the temporal operators. The atomic predicates of TCTL are difference constraints 
over the clocks from the model and the specification clocks. Semantically, the specification clocks 
become part of the state, they proceed synchronously with the other clocks but are not changed by the 
model. A specification clock u can be bound and reset by a reset quantifier u.ip. 
Symbolically, the set of states satisfying a given TCTL formula ^ can be found by a backward 
2 o computation using a fixed-point iteration for the temporal operators. For instance, the set of states 
satisfying the formula frEUrh is computed symbolically as the least fixed point of the function 
B{X) = *V ty-i A PREV(X)) . The set of states satisfying u.<// is computed symbolically as 
3u.{iP A u - z = 0), i.e., the reset quantifier corresponds to restricting the value of u to zero and 
then remove it by existential quantification. Theatomic predicates and the Boolean connectives cor- 
25 respond precisely to the corresponding difference constraint expressions. 

Above the set of states has been determined using a constrained image approach. To compose systems 
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synchronously, as used for instance in timed automata, a timed guarded command program can be 
encoded using a transition relation R over "present-state" variables V = BUCU {z} and the "next- 
state" variables V - {v' : v € V) (as traditionally done in symbolic model checking of discrete 
systems but including the reference points z and z'). The relation R is constructed by combining the 
transitions of each automaton using disjunctions and then combining the automata using conjunctions. 
Thus, the parallel composition of a set of timed automata can be analyzed fully symbolically, i.e., both 
symbolically with respect to the parallel composition and with respect to the representation of sets 
of clock valuations and discrete states. Using a transition relation, well-known and very useful tricks 
.from the work on BDDs, such as early variable quantification and partitioned representation of the 
transition relation are immediately applicable. 



Difference Decision Diagrams 

The preferred embodiment of the invention is a data structure called difference decision diagrams or 
DDDs where the nodes comprise difference constraints such as inequalities of the form x - y < c or 
x - y < c, where x and y are integer or real- valued variables and c is a constant. 

A difference decision diagram (DDD) is a directed acyclic graph. The node set comprises two ter- 
minals 0 and 1 with out-degree zero, and a set of non-terminal nodes with out-degree two. Each 
non-terminal node v comprises a difference constraint expression of the form x — y < c hj or 
x - y < c -+ h,l, with the following attributes: pos(v) = x, neg(v) = y, op(v) e {LE, LEQ} 
(le denoting the operator <, and LEQ denoting the operator <), const(v) = c, high(v) = h, and 
low(v) = I. The symbol < is used to denote either < or <. The edge set comprises the edges 
(v, low(v)) and (v, high(v)), where v € V is a non-terminal node. 

A root in a DDD is a node that represents an expression of particular interest. Any node in a DDD 
can be a root. 

A difference decision diagram represents a formula implicitly: Each non-terminal node corresponds 
to an if-then-else operator. The if-then-else operator a -> Vi , i>a is defined as (a A V (->a A V'o). 
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where a is a Boolean expression. The meaning of a node (or a root) is denned recursively by: 



|0J = false, 
[11 = true, 




x - y < c -+ [h], [/J ifop(u) = LE, 
x - y < c -> f/ij, [/J if op(y) = LEQ. 



where a; = pos(v), y = neg{v), c = const(u), h - high(v), and Z = low(v). In the follow- 
ing, two notational shorthands are frequently used: var(v) = (pos(v),neg(v)) and bound{v) = 
(op(u), cons<(v)). Adding two bounds {o u c{) and (o 2) c 2 ) gives (oi + o 2 , c x + c 2 ), where O! +o 2 is 
LEQ if both 0! and o 2 are LEQ and LE otherwise. Negating a bound (o,c) gives (~<o, -c), where -.LE 
is LEQ and ->LEQ is LE. 

Figures 6-1 1 show some examples of DDDs, namely the six basic difference constraints x 2 - x x ~ 0, 
where ~ is one of {<, <, =, ^, >, >}. To make the figures easier to comprehend and appear more 
pleasant to the eye, a minus sign is shown between the variables, and in the figures < is written instead 
of le, and < for LEQ. High-branches are drawn with solid lines, and low-branches are drawn with 
dashed lines. 



The expressions of the nodes in a DDD are ordered. Such an order can for example be constructed 
from an ordering of the variables x x , . . . , x„ as follows. Assume that the variables are named so that 
they are ordered according to their indices: 



Pairs of variables (ij, Xj) of a node in a DDD are conveniently assumed to be normalized; that is, 
Xi >- xj. This does not restrict what can be represented with DDDs, because 

xj - Xi < c -> h, I = -^{xj - Xi < c) -+ /, h, = x { - Xj < -c /, h 

and similarly for Xj - Xi < c h, I. With n variables there can be at most n(n - l)/2 normalized 
pairs of variables (xi,Xj), which for instance can be ordered such that 



Ordering 



Xl ~< X2 ■< ■ ■ ■ ■< X n . 



(xi,Xj) -< (y it yj) if and only if Xj -< Vj v {xj = y s A x { -< yj, 
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that is 

(x 2 ,Xi) -< (x 3 ,Xi) ■< (X4,Xi) -<•••-( (x n ,Xi) -< 

(x 3 ,x 2 ) ■< (x 4 ,X 2 ) -< t(x n ,x 2 )^ 

(x„_i,a;„_2) -< (x n ,x n - 2 ) -< 
(x n , X n _l). 

With, for example, four variables the ordering could be: 

(x 2 ,Xi) ■< (X 3 ,ll) -< (Xi,Xi) -< (x 3 ,X 2 ) ■< (x 4 ,X 2 ) ■< (X4,X 3 ). 

The two operators are preferably ordered such that LE -< LEQ, and the constants are preferably 
ordered as usually in Z or WL The 4-tuples (pos(u), neg(v), op{v), const (v)) of attributes are then 
for example ordered lexicographically. An example is: 

(x 2 ,X U LB,0) -< (x 2 ,Xi,LEQ,0) ^! (x 5) Xi,LEQ,l) ■< (x 5) X 2 ,LE,0) -< (x 4 , X 3 , LE,0). 

It is convenient to let the two terminals be greater than all non-terminals. In practice, it is convenient 
to define 0 and 1 to have all the attributes of the non-terminals, and let the variables of 0 and 1 be 

Implementation 

A DDD can be implemented as a data structure in a computer program. The nodes and pointers are 
stored in a global table in the computer's memory. Associated with each node is a set of attributes 
consisting of a mathematical expression comprising at least one inequality with at least one variable, 
and a number of pointers corresponding to the number of outcomes of the expression. If, for example, 
the expression is a difference constraint, the attributes of a node comprise at least two variables, an 
inequality operator, a constant, and two pointers. 

Nodes and edges in a DDD can for example be stored as a graph G. Initially, G comprises the two 
terminal nodes 0 and 1. A non-terminal node comprises at least six attributes of type 

Attr = Var x Var x {le, leq} x D x V x V. 
Attributes of a node and the node itself are distinguished. The node is merely a unique identifier an 
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index in a table of attributes. The edges of G are not stored explicitly, but implicitly via the attributes 
in the nodes. The following operations on the graph are used {Graph denotes the type of the graph G): 
insert : Graph x Attr -» V, member : Graph x Attr -+ B, and lookup : Graph x Attr -> V . 
The function insert (G, a) creates a new node v in G with attributes a and returns v. The high- 
and low-branches must be nodes already in G, and the variables must be different. The function 
tnember(G, a) returns true if G contains a node with attributes a. The function lookup(G, a) returns 
the node in G that has attributes a. If G has no node with attributes a, the function is unspecified. 

Insertion can be done in constant time. In practice, however, memory management must be taken 
into account: Memory must be allocated for the attributes and garbage collection is performed when 
memory becomes exhausted. These memory management functions can be implemented using stand- 
ard techniques known to a person skilled in the art such that the expected cost for an insertion will be 
0(1). The two other operations (member and lookup) can be done in expected constant time, using 
a hash table that maps attributes to nodes. 

The following operations are easily implemented on the attributes of non-terminal nodes: pos : V -> 
Var, neg : V -> Var, var : V Pair, op : V -> {LE,LEQ}, const : V -+ P, bound : V -> 
Bound, high : V -4 V, low : V -> V, where Pair = Var x Var, and Bound = {LE, LEQ} x P. 
The type Cstr = Pair x Bound is used to represent constraints. The implementation use n variables 
which are ordered. Each variable x,- is uniquely identified by the index i (i.e., x, — xj implies i — j), 
so that the variable indices can be used to index matrices and arrays. 

The algorithms Mk and MkDiffCstr create DDDs for basic expressions. Mk creates a DDD for 
an ITE expression x - y < c -> h, I, and MkDiffCstr creates a DDD for a difference constraint 
x - y ~ c, where ~ is one of {<, <, =, ^, >, >}. 

ITE Expressions 

The basic operation on the DDD data structure is Mk, which creates a node for an ITE expression. 
The function Mk only creates locally reduced nodes. Using Mk as the only means for creating nodes 
in the DDD, will make sure that they are locally reduced. The function is preferably implemented as 
the computer program presented in Algorithm 1. 

A pair of variables (x, y) is said to be normalized ifx)~y, i.e., x is after y in the variable ordering. 
In Mk the pair of variables (x, y) must be normalized, and the node to be created must be ordered 
with respect to the high- and low-branches. The function Mk consists of four steps: (1) if the domain 
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is Z, weak upper bounds are used; (2) if G already contains an identical node, it is returned; (3) if the 
high- and low-branches are identical, one of them is used; and (4) if the test is obviously redundant, 
the low-branch is returned. Clearly, MK creates only nodes that are locally reduced, provided that the 
input is ordered. 

If a pair of variables is not normalized, the function MkNorm shown in Algorithm 2 can for instance 
be used to normalize a constraint. If x = y, we return 0 if the upper bound is negative, and 1 otherwise 
(clearly, i - x < 0 is false, but all weaker bounds makes it true). Otherwise, we normalize the pair 
of variables, and negate the bound. 

Difference Constraints 

The function MkDiffCstr(x, y,o,c) shown in Algorithm 3 uses Mk to create DDDs for the six 
types of difference constraints, see Fig. 6-11. The construction is dependent on the operator o, which 
is one of {EQ, NEQ, LEQ, GEQ, LE, Gr}. In each case, the difference constraint can be expressed 
using LE or LEQ, or a combination of both. Furthermore, for o = EQ and o = NEQ, the two nodes are 
combined in the correct order, so that the resulting DDD is still ordered. In both cases the node with 
LE must be the topmost node, because LE < LEQ. 

Boolean Combinations 

To combine DDDs with Boolean connectives the function APPLY shown in Algorithm 4 is preferably 
used. Apply is based on five equivalences and uses the well-known technique of dynamic program- 
ming to avoid exponential running time. 

Difference constraint expressions can be combined with conjunction, disjunction, implication and 
bi-implication, and can be negated. The Apply algorithm allows any Boolean combination of two 
expressions to be performed. Conn denotes the set of all dyadic Boolean connectives. A function 

eval : Conn x {0, 1} x {0, 1} -> {0, 1} 

returns the result of combining two terminal nodes with the given Boolean connective. For example, 
evaf(AND, 1, 1) = 1. 

Apply is a generalization of the version used for reduced order binary decision diagrams, which is 
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based on the fact that any binary Boolean operator op distributes over the if-then-else operator: 

(a -> h,l) op (a' -)• h',l') = a-+(hop (a' -> /i',/')), (I op (a' -> • 

This equivalence provides a method to combine two DDDs with a Boolean connective. Reading the 
equivalence from left to right, it is seen that the Boolean connective can be moved down one level in 
the DDD. If this is continued, until both arguments of op are 0 or 1, the Boolean expression can be 
evaluated and the appropriate result returned. In the above equation, a is the topmost constraint on 
the right-hand side, but also o/ could be used: 

(a -> h,l) op (a' -4 h',l') = a' -> ((a -+ h,l) op h'), ((a -> h,l) op I') . 

If the two pairs of variables are equal, one or two of the branches can be evaluated directly. There are 
three cases depending on whether a -< a', a = a', or a y a': 



{a-+h,l) op(a'-+ti,l') = < 



a -+(hop h'),{l op (a'-> h'J')) if a X a', 
a -4 (hop h'), (I op I') if a = a', 

a' -¥ (h op h'), ((a h, I) op I') if a >- a'. 



To avoid exponential running time, dynamic programming is preferably used to memorize the pre- 
viously computed results. As it is well-known, a global hash-table H of type HashTable can be 
implemented having the following operations: 

insert : HashTable x (Conn x V x V) x V -4 unit 
member : HashTable x (Conn x V x V) B 
lookup : HashTable x (Conn x V x V) -» V 

The function insert(H, (op, u,v),r) creates a new entry ((op,u,v),r) in H where r is the result 
of computing Apply (op, u,v). The function member (H, (op,u,v)) returns true if Apply (op, u,v) 
has been computed previously. The function lookup (H, (op, u,v)) returns the result r of computing 
APPLY (op, u, v). If the result is not in the hash table, the function is unspecified. 

The efficiency of Apply can be further improved in the special cases, where one of the operands 
is true or false, or where the two operands are identical. The improved algorithm depends on the 
operator. For conjunction, for example, the following program fragment can be inserted before the 
first if-statement in APPLY: 
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if op = AND then 
ifu = 0 V v = 0then 

return 0 
elsif u = 1 then 

return v 
elsif v = 1 V u = v then 

return u 

Note that the check u = u is only syntactical. If u and t> are semantically equivalent, but not syntactic- 
ally the same, the expression will not be simplified. This is a consequence of the lack of canonicity of 
locally reduced DDDs. However, experiments with examples show, that APPLY runs approximately 
twice as fast with these optimizations. 

Negation 

A DDD u can be negated by using Algorithm 5, where NPl is the binary operator that negates its first 
argument and discards the second. 

Path Reducing 

To further improve the representation of the DDD, the data structure can be path-reduced. In a 
path reduced DDD, all 0- and 1-paths are feasible. A path defines a constraint system S as the 
conjunction of all the constraints occurring when following the high- and low-branches in a path. 
As it is well-known, such a constraint system can be represented as a directed weighted graph and 
a solution found by solving a shortest path problem. Determining feasibility (i.e., the existence of 
a solution) of 5 corresponds to the non-existence of a negative-weight cycle in the constraint graph 
Gs induced by S. If the constraint graph is represented as a square matrix, the well-known FLOYD- 
Warshall algorithm can be used to find a negative-weight cycle with the algorithm Feasible 
shown in Algorithm 6. The algorithm calls Floyd-Warshall, and if any diagonal-element is 
negative, it returns false; otherwise, it returns true. 

An efficient algorithm for performing path reduction is obtained using an incremented version of 
Bellman-Ford's single-source shortest paths algorithm. Before presenting the algorithm, it is shown 
how the Bellman-Ford algorithm can be used to determine whether a graph has a negative-weight 
cycle. 

The Bellman-Ford algorithm uses a technique called relaxation. It makes n- 1 passes over the edges 
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in weighted graph Gs with n nodes, and in each pass all edges are relaxed once. A relaxation consists 
of updating a distance array d, where each entry d{ is an estimate on the minimal distance from a 
virtual node xq to the node Xj. Initially all estimates are set to (< 0). Each pass monotonically 
decreases the estimates in d, and if an estimate has not converged after n - 1 passes, the graph has 
a negative-weight cycle. That is, if we in the 71 th pass can relax any edge, the graph has a negative- 
weight cycle. Introducing the virtual node corresponds to adding a new variable xq to the constraint 
system and letting Xj - xo < 0 for all i = 1,2, . . . , n. Clearly, this does not change the feasibility of 
the system. If the system is feasible, each entry a\ is the minimal distance from xq to x< . 

The used incremental version of the Bellman-Ford algorithm has been modified at two points: (1) the 
number of passes to make is minimized, and (2) a better initial estimate than (< 0) is used. Firstly, 
the number of passes is minimized by stopping after the first pass that does not change any estimates 
in the distance array. Clearly, if a pass does not change the distance array, then the subsequent 
passes will not change it either, because estimates decrease monotonically. Secondly, the improved 
initial estimates are obtained as follows: After having run the Bellman-Ford algorithm on a graph, 
and having found that it has no negative-weight cycles, the distance array d contains the minimal 
distances from xo to all other nodes. Suppose, an extra edge e = (xi,Xj) is added to the graph. This 
edge may or may not change some or all of the estimates in d, but it will not cause any of the estimates 
to increase. Thus, the estimates can be reused. In most situations, adding an edge to a graph changes 
only some of the minimal distances, so there is a good chance that only a few extra passes is needed 
to recalculate d. For example, if the graph already has a path from Xj to Xj with weight less than or 
equal to the weight of e (i.e., e is redundant), then d contains the correct minimal distances, and the 
algorithm stops after one pass. 

The incremental version of Bellman-Ford is used to test for feasibility in the algorithm REDUCE that 
path-reduces a DDD. The algorithm uses a list L in which each element is a pair ((x^Xj), (< c)) 
denoting an edge from Xi to Xj with weight (< c). The length of the list is limited to n(n - 1) 
by keeping it squeezed (i.e., removing consecutive tests on the same pair of variables). The set W 
contains the variables in the path from u to v, which gives a bound on the number of passes that have 
to be made. Very often, the number of variables in a path is much less than n. 

Before discussing the incremental Bellman-Ford algorithm used in REDUCE, consider the graph in 
Fig. 12. Clearly, it has a negative- weight cycle (i.e., a cycle with weight less than (< 0)), but using the 
operation defined for upper bounds, this negative-weight cycle will not be detected neither with the 
incremental nor the original Bellman-Ford algorithm. To see why, recall that (< 0) + (< 0) = (< 0). 
Thus, after one pass all estimates will be (< 0), and the relaxing of the edges is stopped and true is 



47 



WO 00/13113 



PCT/DK99/00456 



returned (i.e., the graph has no negative-weight cycle). Informally speaking, the problem is that the 
number of <'s in the estimates is not counted. (< 0) + (< 0) should give (< 0), and (< 0) -I- (< 0) 
should give 0), etc. 

To cope with this problem, a variable to count the number of <'s in a path is used. The bound < 
counts as 0, and < counts as 1. An estimate now becomes a pair of integers (5, , q) where 5{ denotes 
the number of <'s, and Cj is the weight of the path (without any <'s or <'s). This explains why all 
elements in d are initialized to (0, 0) in the top level call. Adding an upper bound to an estimate and 
comparing two estimates are defined by: 

(LEQ, ci) + (6, c 2 ) d = (6, ci -t- c 2 ) 

(LE, ci) + (<S,c 2 ) = (<5+l,c 1 + c 2 ) 

(<5i,ci) -< (5 2 ,c 2 ) ci < c 2 V(ci = c 2 A 6i > <5 2 ) 

Algorithm 8 shows the incremental version of Bellman-Ford. At most m = \W\ passes are made, 
and if a pass does not change the distance array (i.e., unchanged is true), the algorithm stops. Notice 
that if the first relaxation in the loop leaves d unchanged, the first constraint in L is redundant. A 
relaxation consists of iterating over all elements in L and updating d if an edge makes an estimate 
better. An edge (xi,Xj) with weight b makes an estimate (Sj,Cj) better if (5j,Cj) >- b + (<S,,Cj). 
Inserting constraints in a list maintaining it squeezed is done by the function InsertCstr shown in 
Algorithm 9. 

Functional Properties 

It is easy to write algorithms that check for tautology, satisfiability, etc., using REDUCE, see Al- 
gorithm 10. However, a preferred implementation is often based on algorithms that search for counter- 
examples. If u has a feasible 0-path, u is not a tautology; that is, the search can stop after encoun- 
tering the first feasible 0-path. This observation is used in the algorithm ALLlNFEASIBLE shown in 
Algorithm 11 which returns true if and only if all f -paths (f € {0, 1}) in v are infeasible, stopping 
when it finds the first feasible t-path. Similarly, we define ExistsFeasible in Algorithm 12 which 
returns true if and only if there exists a feasible i-path in v. Algorithm 1 1 and 12 can then be used to 
test for functional properties as shown in Algorithm 14. 

On some examples it is more efficient and therefore preferable to change the first three lines in Al- 
gorithm 1 1 to: 

if v = t then 
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return -.FEASIBLE'(|W|, Array (0, 0), L) 
elsifv 6 {0,1} then 
return true 



And similarly for Algorithm 12. 



Anysat 

If a DDD is not unsatisfiable, a satisfying value assignment can be found for it. Recall that the 
distance array d for a feasible constraint system contains the minimal distances from xo to all other 
nodes. In terms of the constraint system, a\ corresponds to the least upper bound on x» - xq. Letting 
(arbitrarily) xo = 0, a feasible solution can be read off the constraint system: 



Xi = < 



c if di = (6, c) A 5 = 0, 
c-e if di = (S,c) AS > 0. 



where e is some sufficiently small, positive constant. The value e is preferably chosen to be less than 
the minimal difference between any two different constants and cj in d. 

Anysat shown in Algorithm 15 is almost identical to ExistsFeasible: If the path is feasible in the 
terminal case v = 1, an assignment a is constructed as described in the equation above and returned. 
If the path is not feasible, or if v = 0, the value J. is returned indicating that the path has no satisfying 
value assignment. In the non-terminal case, Anysat is called on the high-branch and — if that does 
not result in a satisfying assignment — Anysat is called on the low-branch. 



Quantifiers 

It is generally important to be able to perform quantification of variables in order to make enquiries 
to the values represented by a DDD. Existential quantification of a variable x in an expression <f> 
removes x from <f>. Before presenting the algorithm Exists to perform this job, a small example is 
shown to illustrate what the algorithm should do. Figure 3 illustrates the set of solutions represented 
by a DDD. Quantifying out i in the expression (f> = 1 < x — z<3 A {y-z>2\/y-x>Q) 
yields 3x.(f> = y — z > 1, see Fig. 13. Here, the constraint y - z > 1 does not occur explicitly in <j>, 
but implicitly because of y — x > 0 and x - z > 1, see Fig. 14. 

The existential quantification of a variable x in a DDD u consists of removing all nodes comprising 



49 



WO 00/13113 



PCT/DK99/00456 



x from u, but keeping all the implicit constraints induced by x among the other variables. 

To compute 3x.(x,- - Xj < c -4 h, I), two cases must be considered: If x is different from both x t - 
and Xj, the quantifier can be pushed down one level in the DDD: 

3x.(xi - Xj < c -> h,l) = Xi - Xj < c -» 3x.h, 3x.l if x {xj.xy}. 

If x is equal to x,- or Xj, all paths in h and I with Xi — Xj < c and Xi - Xj > c, respectively, are 
relaxed and the results are combined with disjunction: 

3x.(x,- — Xj < c -> h,l) — 3x.RELAX(/i, x, X{ - Xj < c) 

V 3x.RELAX(Z, x, Xj - n < -c) if x € {x f , xj}. 

The case for 3x.(xj — Xj < c -» is analogous. The algorithm for existential quantification is 
shown in Algorithm 16. 

If x is equal to Xj, relaxation of a path p with a constraint x^ - Xj < c consists of adding a new 
constraint x\ - Xj < c + d to p for each constraint x\ - Xj < c' in p. (In terms of the constraint 
graph defined by p, relaxation with x< - xj <c corresponding to an edge from Xj to x,- creates a new 
edge from Xj to x\ with weight c + d for each edge from X{ to xj with weight c. (i.e., the edge from 
Xj to xj is now explicit, not implicit via ij)-) The case where x is equal to Xj is symmetric. These 
observations lead to a function for performing relaxation shown in Algorithm 17. 

The well-known technique of dynamic programming is preferably used in both EXISTS and RELAX 
to increase efficiency. 

Universal quantification 

Universal and existential quantification are related through the identity Yx.<f> = Hence, a 

universal quantification algorithm can be expressed in terms of NOT and EXISTS as shown in Al- 
gorithm 18. 
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Manipulators 

The language of difference constraint expressions can be extended with two useful operations: as- 
signment and replacement: 

cf>' ::= <j> | <))[x <- y + c] \ 4>[y + c / x] 

An assignment gives a variable x the value of a variable y plus a constant c: 

[4>[x <r- y + c]]a = [4>]a[x ^ a{y) + c}. (10) 

For example, let <j>i = (i - y = 1) A (y — z — 1), and a = [x i— > 5,y.t— > l,z »-> 0]. Clearly, 
Ja = false. We now perform the assignment x «- 2 + 2 in 0i , and get: 

[01 [x <- 2 + 2}Ja = [<f>i]a[x ^ a{z) + 2] 

= Mfc 2, y 1, z 0] 
= true. 

When i^y, performing an assignment corresponds to removing all explicit bounds on x, and then 
updating x with a new value. The assignment operation <f>[x <- y + c] is therefore performed as: 

4>[x <- y + c} = (3x.<j>) A (x — y = c) if x 7^ y . 

which gives the algorithm shown in Algorithm 19. 

An assignment x <- y + c in which x — y corresponds to incrementing x by the value c. Because the 
upper bound is changed on all nodes comprising x and the variables are not rearranged in the DDD x 
is simply incremented, Increment shown in Algorithm 20 can recursively create a new DDD with 
MK. Again the well-known technique of dynamic programming is preferably used in Increment to 
make it efficient 

The repiacement operator is closely related to assignment. A replacement <f>[y + c/x] syntactically 
substitutes all occurrences of x in 0 with a variable y plus a constant c. When the two variables are 
different, a replacement is performed as: 

[0[y + c/x]|Mpx.((x-y = c)A0)J. 
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If x is equal to y, the replacement $[x + d/x] is defined as <f>[t/x][x -f- d/t], where t is a variable 
different from x and not occurring in <£. 

It can be observed that for a terminal node the result is the terminal and that for a non-terminal node, 
the replacement can be performed syntactically on the attributes of u. For example, substituting x\ 
by X2 + C2 in (13,21,0,01) gives (x3,X2,o, ci +c 2 ). These observations yield the function shown in 
Algorithm 21. Again the use of dynamic programming in Replace(u, x, y, c) makes it efficient, and 
only a linear number of new constraints are constructed. However, in order to maintain orderedness 
these new constraints cannot be added where they are discovered through calls to Mk, but are added 
through calls to Apply. 

Convex Hull 

The smallest convex set expressible by a difference constraint expression, called the convex hull, can 
for example be computed by enumerating all 1-paths, running Floyd- Warshall on each of these paths, 
and finally combining them into one matrix by element-wise taking the greatest entry in the matrices. 
This is done by the function HULL shown Algorithm 22. 

Disjunctive Nodes 

Let p be a path leading to the node u in a DDD, and assume a = cstr(u), h = high{u), and 
I = low(u). Then u is disjunctive in p if [p] A (a -> h, I) and [p] A (h V /) are equivalent. (Here, [p] 
denotes the system of difference constraints induced by a path p). If a node is disjunctive in a path, 
the node can be omitted from the path. A function for removing all disjunctive nodes in a DDD is 
shown in Algorithm 23. 

Generalizations 

In situations where the invention is used to analyze systems which require the use of linear inequalit- 
ies, the preferred embodiment is as described above for difference constraints with a minor modific- 
ation. Instead of using a shortest path algorithm such as Bellman-Ford to check for the feasibility of 
paths in DDDs, an algorithm such as Simplex for solving linear programming is preferably used. 
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A linear inequality expression can be expressed in the following syntax: 

n 

4>-='£ / a i yi<b\4>v<j>\^4>\3yi4- 

i=l 

The nodes of the data strucutre comprise expressions of the form J27=i a iVi - *>< which, as usual, is 

a shorthand for the expression aiyi H + a n y„ < b. Here, a, is an integer- or real-valued constant, 

and yi is an integer- or real- valued variable (i = 1, . . . , n). The expressions of the nodes are ordered 
according to a predetermined criteria. 

The basic algorithms for constructing nodes are adapted to linear inequalities in a straightforward 
manner. The algorithm for combining two data structures is only changed such that the correct or- 
dering is obtained by comparing the order of the linear inequality expressions (and not only the two 
variables and the bound) comprised in the nodes. The algorithm for performing feasibility check 
is substituted by algorithms for solving linear programming problems or integer linear programming 
problems. The algorithms for determining functional properties are straightforward to adapt using the 
feasibility checking algorithm. The algorithm for finding a satisfying variable assignment can also be 
constructed in a straightforward manner using the algorithms for solving linear programming prob- 
lems. An algorithm for performing existential quantification can be obtained using Fourier-Motzkin 
variable elimination along the lines of Algorithm 16 for existential quantification for difference de- 
cision diagrams. 
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Algorithm 1 

function Mk((x, y), (o, c), h, I) : Pair x Bound x V x V -> V 
if D = Z A o = LE then 

(o,c) <- (LEQ.C-l) 
if meTn6er(G, (x, y, o, c, /i, /)) then 

return lookup(G, (x, y, o, c, /i, /)) 
elsif / = h then 

return I 

elsif (x,y) = var(l) A h = high(l) then 

return I 
else 

return insert(G, (x,y,o,c, h,l)) 



Algorithm 2 



function MkNorm((x, y),b,h,l) : Pair x Bound x V x V -> V 
if x = y then 
if b < (LEQ,0)then 

return 0 
else 
return 1 
elsif x > y then 

return Mk((x, y),b,h,l) 
else 

return MK((y, x), —6, 1, h) 
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Algorithm 3 

function MkDiffCstr(x, y, o, c) : Var x Var x {eq, NEQ, LEQ, GEQ, LE, GR} x D -> V 
if o = LE then > x - y < c 

return MKNORM((x,y), (le,c),1,0) 
elsif o = LEQ then > x - y < c 

return MkNORM((x, y), (LEQ, c), 1, 0) 
elsif o = EQ then then > x - y = c 

return MKNORM((x,y), (LE,c),0, MKNORM((x,y), (LEQ, c), 1,0)) 
elsif o = NEQ then > x - y ^ c 

return MkNorm((x, y), (LE, c), 1, MkNorm((x, y), (LEQ, c), 0, 1)) 
elsif o = GR then > x - y > c 

return MkNorm((x, y), (LEQ, c), 0, 1) 
else t> x - y > c 

return MkNorm((x, y), (LE, c), 0, 1) 



Algorithm 4 



function ApPLY(op,u,u) : Conn x V x V -+ V 
if u,v e {0,1} then 

return eval(op, u, v) 
elsif member(H, (op, u, v)) then 

return lookup(H, (op, u, v)) 
elsif var(u) < var(v) then 

r <- MK(uar(u), 6ound(u), APPLY(op, high(u), v), APPLY(op, Zotu(u),u)) 
elsif uar(u) = uar(u) A 6ound(u) < 6ound(t;) then 

r <- MK(t/ar(u), 6ound(u), APPLY(op, high(u), high(v)), Apply (op, low(u),v)) 
elsif var(u) = var(v) A bound(u) = 6oimd(u) then 

r <- MK(var(u), 6ounti(u), APPLY(op, /itj/i(u), At'y/i(u)), APPLY(op, Joiy(u), /otu(v))) 
elsif war(ti) = var(v) A 6ound(u) > bound(v) then 

r <- MK.(var(v), bound(v), APPLY(op, high(u), high(v)), APPLY(op, u, /<?«;(«))) 
else 

r <- MK(var(v), bound (v), APPLY (op, u, high(v)), APPLY (op, u, iou;(v))) 
insert(H, (op, u, u), r) 
return r 
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Algorithm 5 



function NOT(u) : V -> V 
if u = 0 then 

return 1 
elsif u = 1 then 

return 0 

elsif member(H, (NPl, u,0)) then 

return lookup(H, (np1,u, 0)) 
else 

r «- MK(var(u), bound(u),NOT(high(u)),NOT(low(u))) 
insert(H,(NPl,u,0),r) 
return r 



Algorithm 6 



function FEASIBLE(M) : Bound-matrix -» 1 
Floyd- Warshall(M) 
for i <- 1 to n do 

if Ma < (leq,0) then 
return false 
return true 
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Algorithm 7 

function REDUCE(u) :V->V 

. return reduce(u, {}, Array (0,0), ()) 

where 

function reduce{v, W, d, L) 
if -.FEASlBLE'(|VK|,d, L) then 

return J- 
elsifw € {0,1} then 

return v 



else 

(Xi,Xj) * 

d h <- d l 
L h <-L l 



var(v) 
-d 
-L 

W <^WU{x u x j } 
INSERTCSTR(L\ ((x^), 6ound(t;))> 
InsertCstr(L<, ((xi.x,-), -t«und(«))) 

i^- reduce (low (v),W,d',L) 
ifi^J. A M-Lthen J/N , n 
return MK(t»ar(u), 6ouna», h, l) 

elsif M J- t» en 

return /i 
else 

return J 




Algorithm 8 

function FEASIBLE' (m, d, L) : Z x Bound-array x Cstr-list 

i «-0 
repeat 

unchanged <- reloi(d,L) 

until i > m V unchanged 
return uncifianfled 
where 
function relax {d,L) 
unchanged' <- true 
■foreach((xi,si),&) €Ldo 
if dj >- 6 + dithen 
dj <r- b + di 
unchanged' *- false 
return unchanged 



t> b is the distance from Xj to Xj 
> dj is the distance from x 0 to xj 
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Algorithm 9 

function InsertCstr(L, (v, b)) 
ifL = ()then 

£«-<M)> 

else 

(v 1 , b') <- head L 
if t/ = v then 

L <- (u, 6)~tail L 
else 

i <- (v, b)~L 



Algorithm 10 



function UNSATISRABLE(u) : V 
return Reduce(u) = 0 

function Tautology(u) : V 
return Reduce(u) = 1 

function Satisfiable(u) : V 
return Reduce(u) ^ 0 

function Falsifiable(u) : V 
return Reduce(u) ^ 1 

function Equivalent^, v) : V x V 

return TAUTOLOGY(APPLY(BIIMP,tt,tj)) 

function Consequence (u,v) : V x V 
return Tautology (Apply (imp, u, v)) 
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Algorithm 11 

function AllInfeasible(u, t, W, d, L) : V x V x Var-set x Bound-array x Cstr-list -> E 

ok <- FEASIBLE'flW |, d, L) 
if v e {0,1} V ->ok then 
return ->{y = t A ok) 
else 

{xi,Xj) <- var(v) 
d h <-d l <r-d 

InsertCstrCL 71 , ((xj,Xi), bound(v))) 
INSERTCSTR^L 1 , ((xi,Xj), -bound(v))) 

W <r-WU{xi,Xj} 

if ALLlNFEASIBLE(/ii_r/i(v), t y W , d h , L h ) then 

return AllInfeasible(/oio(u), t, W, d l ,L l ) 
else 

return false 



Algorithm 12 . 

function ExiSTSFEAS\BLE(v, t,W,d,L) :VxVx Var-set x Bound-array x Cstr-list -4 B 
ok <- FEASIBLE'(|W|,d,L) 
if v e {0,1} V -lofc then 

return v = t A ok 
else 

(xi,Xj) var(v) 
L h <-L l <-L 
d h <-d l <r-d 

lNSERTCSTR(L\ ((xj,Xi), bound(v))) 
InsertCstr(L', ((xj, xj), -bound(v))) 

W <r- WU{Xi,Xj) 

if -iExiSTSFEASlBLE(yii_i/i(v), t, W, d h , L h ) then 

return ExistsFeasible(/ow(u), t, W, d l , L l ) 
else 

return true 
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Algorithm 14 

function Unsatisfiable(u) : V 

return ALLlNFEASIBLE(u, 1, {}, Array{0,0), <)) 

function Tautology (u) -. V 

return AllInfeasible(u,0, {}, Array (0,0), ()) 

function Satisfiable(u) : V 

return EXISTSFEASIBLE(u, 1, {}, Array(0, 0), ()) 

function FALSIFIABLE(u) : V 

return ExistsFeasible(u, 0, {}, Array{0, 0), {» 



Algorithm 15 

function Anysat(u) : V -> Asgn U {±} 

return any sat (u, {}, Array (0,0), ()) 
where 

function anysat(v, W, d, L) 

ok *-FEASIBLE'(|W|,d,£) 
if n = 1 A ok then 
for i <- 1 to n do 
(6,c)<-di 
if 6 = 0 then 

a <r- a[xi t-j- c] 
else 

a «- a[xj m- c — e] 

return a 
elsif v G (0,1} V -.ofcthen 

return J_ 
else 

(Xj.Xj) <-« or («) 
L ft <- L 1 «- L 

d h ±-d l <r-d 

lNSERTCSTR(L /l , ((xj,Xj), 6oim<i(v))) 
InsertCstr (L l , ((xi,xj), - found (v))) 
W <- WU{xi,Xj} 
a 4- onysrf(Aifffc(«), W^',^,^) 
if a = -L then 

return anysaf (fou;(v), W'jd'.L') 
else 

return a 
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Algorithm 16 

function EXISTS(:r,u): Var xV-+V 
if uG {0,1} then return u 

return Exists (i, h) V Exists (i, t) 

<- MK(uar(u), botmci(u), 1,0) 
h {-EXISTS 
j «_ EXISTS (i, iotu(u)) 
return (a A h) V (-a A i) 



M • v x Var x Var x Var x Bound 
function RELAX(u, s.Xi.Sji*) • v x Vd 
if u€ {0,1} then return u 

else , v M 

h <- RELAX(/liff/l(w). a: . :z: ^' x J• ^>, 
Z <- RBLHX{low{u) t x,Xi,Xj,b) 

a *- MK(«or(u), 6ound(u),M) 

d tr; ( AMKSo;M(i: n e S M), t o» u ^w,i,o) 

return (a A h) V (-a A I) 
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Algorithm 18 

function Forall(x, u) : Var xV-»V 
return Not(Exists(x, Not(u))) 



Algorithm 19 . 

function ASSIGN (u,x,y,c) : V x Var x Var x D -> V 
ifx = y then 

return Increment(u, x, c) 
else 

return Apply (and, MkDiffCstr(x, y, eq, e), Exists (x, u)) 



Algorithm 20 . 

function INCREMENT (tt, x, c) : V x Var x D V 
ifu € {0,1} then 

return u 
else 

if pos(u) = x then 

6 f- 6oun<f (u) + (LEQ, c) 
elsif neg(u) = x then 

b <- toun<f(u) + (LEQ, -c) 
return MK(uar(tt), 6, lNCREMENT(fctff/i(u), x, c), lNCREMENT(/ou;(u), x, c)) 



Algorithm 21 

function REPLACE(u, x, y, c) : V x Var x Var x B ->■ V 
ifu € {0,1} then 

return u 
else 

if pos(u) = x then 

vl <- MKNORM((y, neg{u)), bound{u) - (LEQ, c), 1,0) 
elsif neg{u) = x then 

it' <- MKNORM((pos(u),y), bound{u) + (LEQ, c), 1, 0) 
else 

v! i- MK{var(u), bound(u), 1, 0) 
h <- REPLACE(/ij^(u), x, y, c) 
/ <- REPLACE(ioto(tt), x,y,c) 

return Apply(or, Apply(and, u', fc), Apply(and, Not(u'), 0) 
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function HULL(u) : V -+ Bound-matrix 

M <- Matrix (LE.oo) 

ftu/Hu, M) 

return M 
where 

function /iuZ/( u > • w ) 
if v = 0 then 

elsif u = 1 then 

Floyd-Warshall(M) 

else 

(xuXj) <r- var{v) 
M h <r- M l 4- M 
Mji «- found (u) 

m]j- < 6ound(«) 

hull(high{v),M h ) 
hull{low{v),M l ) 
UM h ^± A M 1 # -Lthen 

M<-Max(M\M 1 ) 
elsif lthen 

M <-M h 
elsif Z # J. then 

M <- M 1 
else 

M -t- -L 
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A lgorithm 23 ; 

function MERGE(tt) : V -> V 

return merge{u, {}, Array (0,0), ()) 
where 

function merge(v, W, d, L) 
ifu € {0,1} then 

returns 
else 

(x,-,Xj) <- uar(v) 
L A L' <- L 
d* +- d' <- d 

INSERTCSTR(L'\ ((xj.Xi), 6ound(u))) 
INSERTCSTR(L', ((xj,Xj), -iound(v))) 

Z*-mefye(tou/(t;) ) tVM> , > L') 

if ALLlNFEASlBLE {(h V /) <-» v, 0, W, d, £) then 

return /i V Z » u is disjunctive 

else 

return MK(var{v), bound(v),h, I) 
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Claims 

1. An acyclic data structure comprising: 

• a number of nodes comprising 

- at least a first and a second pointer pointing to other nodes, 

- an expression comprising at least one inequality with at least one variable, the expression 
being adapted to result in one of at least two disjoint outcomes, each pointer representing 
one of the outcomes, the number of pointers corresponding to the number of outcomes 
of the expression, 

• at least one terminal node, 

• at least one node pointing to the at least one terminal node, 

the expressions being ordered according to predetermined criteria, the pointers of a first node com- 
prising an expression of a first, lower order pointing to nodes comprising expressions of second 
orders, the second orders being higher than the first order. 

2. A data structure according to claim 1, wherein the data structure is at least substantially free from 
incidents of nodes where: 

. the first and second pointers of a first node point to a second and a third node, respectively, 

• the second pointer of the second node points to the third node, 

. the expressions of the first and second nodes relate to the same variables, and 
. the variable values fulfilling or not fulfilling the expression of the first node being comprised 
in the variable values fulfilling or not fulfilling the expression of the second node. 

3. A data structure according to claim 1 or 2, wherein the data structure is at least substantially free 
from incidents of nodes where all pointers of a node point to the same node. 

4. A data structure according to any of the preceding claims, wherein the data structure is at least 
substantially free from incidents of nodes where two nodes exist having identical expressions and 
having pointers pointing to the same nodes, where the first pointers of the two nodes point to the 
same node, and where the second pointers of the two nodes point to the same node. 

5. A data structure according to any of the preceding claims, wherein the terminal nodes are adapted 
to represent Boolean values "true" and "false". 
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6. A data structure according to any of the preceding claims, wherein the expressions in the nodes 
except the terminal nodes all contain at least one inequality. 

7. A data structure according to any of the preceding claims, wherein the disjoint outcomes of the 
expressions constitute "true" or "false", and wherein each node comprises two pointers. 

8. A data structure according to claim 6 or 7, wherein the at least one inequality is a linear inequality. 

9. A data structure according to claim 6, 7, or 8, wherein the inequalities are difference constraints. 

10. A data structure according, to any of the preceding claims, wherein the data structure is at least 
substantially free from incidents of nodes where, when following a path from one node via one 
or more pointers to a second node, there exists no set of variable values fulfilling a combined ex- 
pression obtained by, for each node entered, the expression therein having to provide the outcome 
corresponding to the pointer of the node pointing to the next node. 

11. A data structure according to any of the preceding claims, wherein the data structure is at least 
substantially free from incidents of pairs of paths, starting in the same starting node and ending 
in the same ending node, where a single path may be generated starting in the starting node and 
ending in the ending node, so that the same set of variable values fulfill the combined expression 
obtained when following the single path from the starting node to the ending node as fulfill a 
disjunction of the pair of paths. 

12. A method of generating a data structure according to claim 1 and representing a system having a 
number of variables, the method comprising: 

a) determining the variables, 

b) defining a number of entities in the system, the entities defining relations between variables, 

c) defining criteria for ordering the expressions, 

d) representing each relation by: 

. defining a number of different expressions each comprising at least one inequality with 
at least one variable, and each expression being adapted to result in one of at least two 
disjoint outcomes, 

• generating a node associated to each expression, the node having: at least a first and a 
second pointer pointing to other nodes, the number of pointers of the node corresponding 
to the number of outcomes of the expressions, 
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• ordering the expressions associated with the nodes in accordance with the defined criteria 
so that the pointers of a node comprising an expression of a lower order points to nodes 
comprising expressions of higher orders so as to generate an entity data structure repres- 
enting the corresponding entity, 
e) combining the entity data structures to generate the data structure. 

13. A method according to claim 12 further comprising: 

a) on the basis of the combined data structure determining at least one functional property of the 
system. 

14. A method according to claim 12, wherein step e) comprises a number of steps in each of which a 
number of entity data structures are combined, each step comprising: 

a) in the system determining a relationship between the entities represented by the entity data 
structures and a mathematical operation determined by the relationship, 

b) generating a new data structure by generating an operator node representing the mathematical 
operation and having a number of pointers pointing to the entity data structures. 

15. A method according to claim 3, wherein: 

• a first node is identified, all pointers of which point to the same, second node 

• all pointers pointing to the first node are pointed to the second node, and 

• the first node is removed. 

16. A method according to claim 3 or 4, wherein: 

• two nodes are identified having identical expressions and having pointers pointing to the 
same nodes, where the first pointers of the two nodes point to the same node, and where the 
second pointers of the two nodes point to the same node, 

• pointing all pointers pointing to a first of the two nodes to the other of the two nodes, and 
deleting the first node. 

17. A method according to claim 14, wherein a set of predetermined reduction rules are repeatedly 
applied to the operator nodes in order to remove operator nodes from the data structure. 

18. A method according to any of claims 14, 15, 16 and 17, further comprising the step of: 

• identifying an operator node having pointers pointing to more than two data structures, 
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• replacing the identified operator node by a group of operator nodes, each operator node in 
the group having two pointers, the group of operator nodes pointing to the more than two 
data structures. 

19. A method according to claim 18, further comprising the step of: 

a) identifying an operator node having pointers pointing to two data structures comprising only 
terminal nodes or nodes the expressions of which represent inequalities, 

b) replacing the identified operator node and the data structures pointed to thereby by a new data 
structure generated by performing the following procedure relating to the two data structures: 

c) • if the lowest order node of the first data structure and the lowest order node of the second 

data structure comprise identical expressions, 

- generating a new node having an expression identical thereto, 

- generating a first new data structure from the data structures pointed to by the first 
pointers of the two lowest order nodes by performing step c), 

- having the new node's first pointer point at the first new data structure, 

- generating a second new data structure from the data structures pointed to by the 
second pointers of the two lowest order nodes by performing step c), 

- having the new node's second pointer point at the second new data structure, 

• if the lowest order node of the first data structure and the lowest order node of the second 
data structure comprise different expressions, 

- generating a new node having an expression identical to that of the two nodes having 
the lowest order, 

- generating a first new data structure from the data structures pointed to by the first 
pointer of the node having the lowest order and that node not having the lowest order 
by performing step c), 

- having the new node's first pointer point at the first new data structure, 

- generating a second new data structure from the data structures pointed to by the 
second pointer of the node having the lowest order and that node not having the lowest 
order by performing step c), 

- having the new node's second pointer point at the second new data structure, 

• if the lowest order node of one of the data structures comprises an expression, and the 
other data structure is a terminal node, 

- generating a new node having an expression identical to that of the node comprising 
an expression, 

68 



WO 00/13113 



PCT/DK99/00456 



- generating a first new data structure from the data structures pointed to by the first 
pointer of the node comprising an expression and the terminal node by performing 
step c), 

- having the new node's first pointer point at the new data structure, 

- generating a second new data structure from the data structures pointed to by the 
second pointer of the node comprising an expression and the terminal by performing 
step c), 

- having the new node's second pointer point at the second new data structure, 

• if the two data structures are terminal nodes, performing the mathematical operation of the 
operator node between the terminal nodes and generating a data structure consisting of a 
terminal node representing the result of the operation. 

20. A method according to claim 12, wherein the combination of the entity data structures comprises: 

a) in the system determining a relationship between the two entities represented by the two data 
structures and a mathematical operation determined by the relationship, 

b) generating a new data structure by performing the following procedure relating the two data 
structures: 

c) • if the lowest order node of the first data structure and the lowest order node of the second 

data structure comprise identical expressions, 

- generating a new node having an expression identical thereto, 

- generating a first new data structure from the data structures pointed to by the first 
pointers of the two lowest order nodes by performing step c), 

- having the new node's first pointer point at the first new data structure, 

- generating a second new data structure from the data structures pointed to by the 
second pointers of the two lowest order nodes by performing step c), 

- having the new node's second pointer point at the second new data structure, 

• if the'lowest order node of the first data structure and the lowest order node of the second 
data structure comprise different expressions, 

- generating a new node having an expression identical to that of the two nodes having 
the lowest order, 

- generating a first new data structure from the data structures pointed to by the first 
pointer of the node having the lowest order and that node not having the lowest order 
by performing step c). 
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- having the new node's first pointer point at the first new data structure, 

- generating a second new data structure from the data structures pointed to by the 
second pointer of the node having the lowest order and that node not having the lowest 
order by performing step c), 

- having the new node's second pointer point at the second new data structure, 

• if the lowest order node of one of the data structures comprises an expression, and the 
other data structure is a terminal node, 

- generating a new node having an expression identical to that of the node comprising 
an expression, 

- generating a first new data structure from the data structures pointed to by the first 
pointer of the node comprising an expression, and the terminal node by performing 
step c), 

- having the new node's first pointer point at the new data structure, 

- generating a second new data structure from the data structures pointed to by the 
second pointer of the node comprising an expression and the terminal by performing 
step c), 

- having the new node's second pointer point at the second new data structure, 

• if the two data structures are terminal nodes, performing the mathematical operation be- 
tween the terminal nodes and generating a data structure consisting of a terminal node 
representing the result of the operation, 

d) repeating steps a) and b) until only a single data structure remains. 

21. A method of generating a new data structure according to claim 1 by combining two such data 
structures using a mathematical operation, the method comprising: 

a) generating the new data structure by: 

• if the lowest order node of the first data structure and the lowest order node of the second 
data structure comprise identical expressions, 

- generating a new node having an expression identical thereto, 

- generating a first new data structure from the data structures pointed to by the first 
pointers of the two lowest order nodes by performing step a), 

- having the new node's first pointer point at the first new data structure, 

- generating a second new data structure from the data structures pointed to by the 
second pointers of the two lowest order nodes by performing step a), 
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- having the new node's second pointer point at the second new data structure, 

• if the lowest order node of the first data structure and the lowest order node of the second 
data structure comprise different expressions, 

- generating a new node having an expression identical to that of the two nodes having 
the lowest order, 

- generating a first new data structure from the data structures pointed to by the first 
pointer of the node having the lowest order and that node not having the lowest order 
by performing step a), 

- having the new node's first pointer point at the first new data structure, 

- generating a second new data structure from the data structures pointed to by the 
second pointer of the node having the lowest order and that node not having the lowest 
order by performing step a), 

- having the new node's second pointer point at the second new data structure, 

• if the lowest order node of one of the data structures comprises an expression, and the 
other data structure is a terminal node, 

- generating a new node having an expression identical to that of the node comprising 
an expression, 

- generating a first new data structure from the data structures pointed to by the first 
pointer of the node comprising an expression and the terminal node by performing 
step a), 

- having the new node's first pointer point at the new data structure, 

- generating a second new data structure from the data structures pointed to by the 
second pointer of the, node comprising an expression and the terminal by performing 
step a), 

- having the new node's second pointer point at the second new data structure, 

• if the two data structures are terminal nodes, performing the mathematical operation be- 
tween the terminal nodes and generating a data structure consisting of a terminal node 
representing the result of the operation. 

22. A method according to any of claims 14-20, wherein the mathematical operations are chosen 
from the group consisting of Boolean operators or combinators, such as AND, OR, NOT, and 
XOR, where the terminal nodes are given one of the values "true" and "false". 

23. A method according to claim 21, wherein the mathematical operation is chosen from the group 
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consisting of Boolean operators or combinators, such as AND, OR, NOT, and XOR, where the 
terminal nodes are given one of the values "true" and "false". 

24. A method according to claim 22, wherein the mathematical operations are binary operations, and 
where the nodes comprising expressions are generated with a first and a second pointer so as to be 
able to point at two other nodes, the second pointer being used, if the expression, given a set of 
variable values, is true, and the first pointer if the expression is false. 

25. A method according to claim 24, wherein: 

• a first node is identified, all pointers of which point to the same, second node, 

• all pointers pointing to the first node are pointed to the second node, and 

• the first node is removed. 

26. A method according to claim 24 or 25, wherein: 

• two nodes are identified having identical expressions and having pointers pointing to the 
same nodes, where the first pointers of the two nodes point to the same node, and where the 
second pointers of the two nodes point to the same node, 

• pointing all pointers pointing to a first of the two nodes to the other of the two nodes, and 

• deleting the first node. 

27. A method according to any of claims 24-26, wherein 

• three nodes are identified where: 

- the first and second pointers of a first node point to a second and a third node, respect- 
ively, 

- the second pointer of the second node points to the third node, 

- the expressions of the first and second nodes relate to the same variables, and the variable 
values fulfilling the expression of the first node being comprised in the variable values 
fulfilling the expression of the second node, and 

• replacing pointers pointing to the first node by pointers pointing to the second node. 

28. A method according to any of claims 24-27, wherein 

• three nodes are identified where: 

- the second and first pointers of a first node point to a second and a third node, respect- 
ively, 
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- the first pointer of the second node points to the third node, 

- the expressions of the first and second nodes relate to the same variables, and the variable 
values not fulfilling the expression of the first node being comprised in the variable 
values not fulfilling the expression of the second node, and 

• pointing the first node's second pointer to a node pointed to by the second node's second 
pointer. 

29. A method according to claim 27 or 28, wherein the second node is subsequently removed, if no 
pointers point to it. 

30. A method according to any of claims 12-29, wherein, during step e) or during generation of an 
entity data structure, if a new node is to be generated having all pointers point to the same, second 
node, where one or more pointers were to point to the new node, not inserting the new node and 
directing all pointers pointing to the new node to the second node. 

31. A method according to any of claims 12-30, wherein, during step e) or during generation of an 
entity data structure, if a new node is to be generated having an expression identical to that of a 
second node, a first pointer pointing to a node pointed to by a first pointer of the second node, 
and a second pointer pointing to a node pointed to by a second pointer of the second node, where 
one or more pointers were to point to the new node, not inserting the new node anddirecting all 
pointers pointing to the new node to the second node. 

32. A method of altering a data structure according to claim S and 9, wherein 

• identifying all paths leading from a root to a "true" terminal node, 

• for each path, constructing a difference bound matrix obtained from a combined expression 
obtained by, for each node entered in the path, the expression therein having to provide the 
outcome corresponding to the pointer of the node pointing to the next node, 

• solving the all pairs shortest path problem for each difference bound matrix, 

• removing in each matrix the row and column corresponding to a predetermined variable, 

• constructing a path from each matrix, and 

• combining all the paths by a disjunction using the method of claim 23. 

33. A method according to claim 32, wherein the construction of a path from each matrix comprises, 
for each entry in the matrix, generating a node having a difference constraint corresponding to the 
variables of the row and column and the constant of the entry, and subsequently combining the 
resulting nodes by conjunction. 
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34. A method according to claim 32 or 33, wherein the solving step comprises, for each matrix, solving 
the difference bound matrix by the algorithm of Floyd-Warshall performing only relaxation steps 
involving the predetermined variable. 

35. A method of altering a data structure according to claim 5 and either 8 or 9, the method comprising: 

(a) determining a variable, 

(b) determining a constraining expression which is either a lower or an upper bound on the 
variable, 

(c) generating a new data structure by: 

• if the data structure is a terminal node then the result is said terminal node, 

• if the node of the data structure having the lowest order comprises an expression con- 
taining the variable, 

- generating a first new data structure from the data structure pointed to by the first 
pointer of the node by performing step c), 

- generating a second new data structure from the data structure pointed to by the 
second pointer of the node by performing step c), 

- if the constraining expression is an upper bound on the variable and the expression 
of the node is also an upper bound on the variable, 

* constructing a new expression without the variable obtained by combining con- 
junctively the constraining expression and the negation of the expression of the 
node, 

* generating the resulting data structure as the disjunction of 

• the negation of the expression of the node conjuncted with the first new data 
structure and the new, and 

■ the expression of the node conjuncted with the second new data structure, 

- if the constraining expression is an upper bound on the variable and the expression 
of the node is a lower bound on the variable, 

* constructing a new expression without the variable obtained by combining con- 
junctively the constraining expression and the expression of the node, 

* generating the resulting data structure as the disjunction of 

• the negation of the expression of the node conjuncted with the first new data 
structure, and 
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• the expression of the node conjuncted with the second new data structure and 
the new expression, 

- if the constraining expression is a lower bound on the variable and the expression of 
the node is an upper bound on the variable, 

* constructing a new expression without the variable obtained by combining con- 
junctively the constraining expression and the expression of the node, 

* generating the resulting data structure as the disjunction of 

■ the negation of the expression of the node conjuncted with the first new data 
structure, and 

• the expression of the node conjuncted with the second new data structure and 
the new expression, 

- if the constraining expression is a lower bound on the variable and the expression of 
the node is also a lower bound on the variable, 

* constructing a new expression without the variable obtained by combining con- 
junctively the constraining expression and the negation of the expression of the 
node, 

* generating the resulting data structure as the disjunction of 

• the negation of the expression of the node conjuncted with the first new data 
structure and the new expression, and 

• the expression of the node conjuncted with the second new data structure, 

• if the node of the data structure having the lowest order does not comprise an expression 
containing the variable, 

- generating a first new data structure from the "data structure pointed to by the first 
pointer of the node by performing step c), 

- generating a second new data structure from the data structure pointed to by the 
second pointer of the node by performing step c), 

- generating a new node having an expression identical to the expression of the node, 

- having the new node's first pointer point at the first new data structure, 

- having the new node's second pointer point at the second new data structure. 

36. A method of altering a data structure according to claim 5 and either 8 or 9, the method comprising: 

a) determining a variable, 

b) generating a new data structure by: 
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• if the data structure is a terminal node then the result is said terminal node, 

• if the node of the data structure having the lowest order does not comprise an expression 
containing the variable, 

- generating a first new data structure from the data structure pointed to by the first 
pointer of the node by performing step b), 

- generating a second new data structure from the data structure pointed to by the second 
pointer of the node by performing step b), 

- generating a new node having an expression identical to the expression of the node, 

- having the new node's first pointer point at the first new data structure, 

- having the new node's second pointer point at the second new data structure, 

• if the node of the data structure having the lowest order comprises an expression containing 
the variable, 

- generating a first new data structure from the data structure pointed to by the first 
pointer of the node by performing the method according to claim 35 with the negation 
of the node's expression as the constraining expression and then performing step b), 

- generating a second new data structure from the data structure pointed to by the second 
pointer of the node by performing the method according to claim 35 with the node's 
expression as the constraining expression and then performing step b), 

- generating the resulting data structure as the disjunction of the first and the second 
new data structure. 

A method for assessing whether, in a data structure according to any of claim 5 and 10, a set of 
variable values exists which, when starting in a root of the structure, would result in a path ending 
in a predetermined terminal node, the method comprising: 

• inspecting whether the data structure consists of one terminal node only, 

• if so, a positive answer is returned, if the only terminal node is the predetermined terminal 
node, and a negative answer is returned, if the only terminal node is not the predetermined 
terminal node, 

• if not, a positive answer is returned. 

A method for determining a set of variable values which, when starting in a predetermined root 
of a data structure according to claim 3, 5, and 10, results in a path ending in a predetermined 
terminal node, the method comprising: 

• starting in the root of the structure and repeating the step of: 
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- if the first pointer of the node points to a terminal node different from the predetermined 
terminal node, selecting the node pointed to by the second pointer, otherwise selecting 
the node pointed to by the first pointer, 

• if the predetermined terminal node is found: 

- constructing the path from the root to the terminal node and deriving a combined ex- 
pression obtained by, for each node entered, the expression therein having to provide 
the outcome corresponding to the pointer of the node pointing to the next node, and 

- solving the combined expression and deriving a set of variable values of the solution. 

39. A method for generating a result from a predetermined set of variable values when imposed on a 
data structure according to claim 1, the method comprising: 

• starting in a predetermined root of the structure and repeating the steps of: 

- if the node is a terminal node, returning the contents of the terminal node, 

- otherwise, evaluating the expression of the node according to the set of variable values 
and continuing with the node pointed at by the pointer corresponding to the outcome of 
the expression. 

40. A method of altering a data structure according to claim 5 and 9, the method comprising: 

• interchanging the terminal nodes "true" and "false", 

• removing the variable using the method according to any of claims 32-34 or 36, 

• interchanging the terminal nodes "true" and "false". 

41. A method of altering a data structure according to claim 5 and 9, the method comprising: 

• replacing, in the data structure, a first variable x with the sum of a second, different variable 
y, and a constant c by: 

• constructing a second data structure by conjugating the initial data structure with a data 
structure comprising a conjugation of a first node comprising a difference constraint relating 
to x -y <c, and a second node comprising a difference constraint relating to x - y > c, 

• combining the first and the second data structures by the Boolean operation of conjunction 
using the method of claim 23, 

• removing x using the method of claim 32-34 or 36. 

42. A method of altering a data structure according to claim 5 and 9, the method comprising replacing, 
in the data structure, a first variable x with the sum of a second, different variable y, and a constant 
c by: 
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• removing x from the data structure using the method of claim 32-34 or 36. 

• constructing a second data structure by conjugating the initial data structure with a data 
structure comprising a conjugation of a first node comprising a difference constraint relating 
to x - y < c, and a second node comprising a difference constraint relating to x - y > c, 

• combining the first and the second data structures by the Boolean operation of conjunction 
using the method of claim 23 

43. A method of altering a data structure according to claim 5 and 9, the method comprising: in each 
expression comprising a predetermined variable, replacing the variable by the same variable added 
to a predetermined constant. 

44. A method of obtaining information from a data structure according to claim 5 and 9, comprising 
the steps of: 

• identifying all paths leading from a root to a "true" terminal node, 

• for each path, constructing a difference bound matrix obtained from a combined expression 
obtained by, for each node entered in the path, the expression therein having to provide the 
outcome corresponding to the pointer of the node pointing to the next node, 

• solving the all pairs shortest path problem for each difference bound matrix, 

• generating a maximum matrix from the difference bound matrices and having the same di- 
mensions as the difference bound matrices by, for each entry in the maximum matrix, select- 
ing the largest value in the difference bound matrices relating to the same entry, and 

• obtaining information from the maximum matrix. 

45. A method for removing infeasible paths from a data structure according to claim 5 and 9, the 
method comprising, for each path in the data structure from a root node to a terminal node: 

• for each node in the path, determining whether a set of variable values exists fulfilling a 
combined expression obtained by, for each node between the root node and the actual node, 
the expression therein having to provide the outcome corresponding to the pointer of the 
node pointing to the next node, 

• removing the pointer in the path pointing to the actual node. 

46. A method according to claim 45, wherein the determining step is performed according to the 
Bellman-Ford algorithm where, for each node in the path, information relating to the nodes already 
visited is stored and re-used in subsequent nodes. 
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47. A method for removing infeasible paths from a data structure according to claim 5 and 8, the 
method comprising, for each path in the data structure from a root node to a terminal node: 

• for each node in the path, determining whether a set of variable values exists fulfilling a 
combined expression obtained by, for each node between the actual node and the root node, 
the expression therein having to provide the outcome corresponding to the pointer of the 
node pointing to the next node, 

• removing the pointer in the path pointing to the actual node. 

48. A method according to claim 47, wherein the determining step is performed using linear program- 
ming, such as the simplex algorithm, or using integer linear programming. 

49. A method for altering a data structure according to claim 5, 7, and 9, the method comprising the 
steps of: 

• identifying all paths leading from a root to a "true" terminal node, 

• for each path, constructing a difference bound matrix obtained from a combined expression 
obtained by, for each node entered in the path, the expression therein having to provide the 
outcome corresponding to the pointer of the node pointing to the next node, 

• solving the all pairs shortest path problem for each difference bound matrix, 

• constructing a path from each matrix by expressing the bounds of each entry as difference 
constraints on the variables corresponding to the entry and forming the conjunction of the 
difference constraints, and 

• generating an amended data structure by combining all the paths by a disjunction using the 
method of claim 23, and 

• for each node in the amended data structure in each path from the root to a "true" terminal 
node: 

a) determining an initial expression from a combination of the expressions of the nodes in 
the path between the root and the actual node, 

b) determining a conjunctive combination between the initial expression and an expression 
obtained by a disjunction between the data structures pointed at by the two pointers of 
the node, 

c) determining a conjunctive combination between the initial expression and a disjunction 
between 

- a conjunction between the expression of the actual node and the data structure poin- 
ted at by the pointer representing a fulfillment of the expression of the node, 
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- a conjunction between the negation of the expression of the actual node and the data 
structure pointed at by the pointer representing a non-fulfillment of the expression 
of the node, 

d) if the variable values fulfilling the combination b) and the combination c) are identical, 
replacing the actual node by the disjunction between the data structures pointed at by 
the two pointers of the actual node. 

50. A method according to claim 12 for generating a data structure for analyzing a system modeled by 
a timed automaton having a number states and clocks, wherein: 

step a) comprises: 

- determining a first set of variables to be used for the encoding of the states, 

- determining a second set of variables to be used for the clocks, 
step b) comprises: 

- identifying transitions between states, a transition comprising a starting state, an ending 
state, a requirement to be fulfilled in order to enable the transition to take place, an action 
to be performed when the transition takes place, and a requirement of the clocks to be 
fulfilled after the transition has taken place, 

step d) comprises: 

- for each transition, generating a data structure representing the requirement to be ful- 
filled in order for the transition to be enabled, 

step e) comprises: 

- constructing a data structure representing the set of reachable states by: 

* constructing a data structure R representing a set of initial states of the automaton, 

* repeatedly: 

• selecting a transition, 

• generating an amended data structure R' by conjugating the data structure repres- 
enting the requirements of selected transition with R, 

■ generating an amended data structure R" by, in R', updating variables in accord- 
ance with the actions of the transition, 

• assigning R as the disjunction of R and R", 
until R is unchanged for all transitions, 

inquiring as to the existence of predetermined states of the automaton using any of the methods 
according to claim 37, 38, 39, and 44. 
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51. A method according to claim 12 for generating a data structure for analyzing a concurrent system 
modeled by a composition of a number of timed automata each having a number of states and 
clocks, wherein: 

step a) comprises: 

_ determining a first set of variables to be used for the encoding of the individual states of 
the automata, 

- determining a second set of variables to be used for the individual clocks of the automata, 
_ determining a third and fourth set of variables to be used for encoding the new values of 

the variables from the first and second set such that there is a one-to-one correspondence 
between the variables in the first and third set, respectively in the second and fourth set, 

step b) comprises: 

- identifying non-idling transitions between states, a non-idling transition comprising a 
starting state, an ending state, a requirement to be fulfilled in order to enable the trans- 
ition to take place, an action to be performed when the transition takes place, and a 
requirement of the clocks to be fulfilled after the transition has taken place, 

- identifying idling transitions from a state to itself, comprising a requirement to be ful- 
filled when none of the requirements of the non-idling transitions are fulfilled on that 
state, an empty action, and a requirement of the clocks to be fulfilled after the transition 
has taken place, 

step d) comprises: 

- for each transition, generating a data structure over the four set of variables, representing 
a relation expressing the requirement to be fulfilled in order for the transition to be 
enabled using the first two set of variables, expressing the action to be performed when 
the transition takes place using the third and fourth set of variables, and expressing the 
requirement of the clocks using the third and fourth set of variables, 

- generating a data structure A representing the advance time predicate using variables 
from the second and fourth set of variables, 

- constructing a data structure T representing the set of transitions by: 

* defining a data structure T as a terminal node representing "true", 

* for each automaton: 

• defining a data structure U as a terminal node representing "false", 
. for each transition of the automaton, assigning to U the disjunction of U and the 
selected transition, 
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• assigning to T the conjunction of T and U, 

* assigning to T the disjunction of the advance time predicate A and T, 
step e) comprises: 

- constructing a data structure representing the set of reachable states by: 

* constructing a data structure R representing a set of initial states of the automata, 

* repeatedly: 

• generating a data structure R! by conjugating T and R, 

■ generating a data structure R" by quantifying out all variables from the first and 
second set of variables using a method according to any of the claims 32-34 or 
36, 

• generating a data structure R'" by replacing all variables from the third and fourth 
set of variables with the corresponding variable from the first and second set, 

■ assigning to R the disjunction of R and R"\ 
until R is unchanged, 

inquiring as to the existence of predetermined states of the automata using a method according to 
any of the claims 37, 38, 39, and 44. 

52. A method according to claim 12 for generating a data structure for analyzing a concurrent system 
modeled by a timed Petri net, the Petri net having a number of transitions and states, each state 
having a clock and an associated time delay interval, wherein: 

step a) comprises: 

- determining a first set of variables to be used for the encoding of the states, 

- determining a second set of variables to be used for the clocks, 
step b) comprises: 

- identifying transitions between states, a transition comprising a starting state, an ending 
state, and a requirement to be fulfilled in order to enable the transition to take place, the 
identified transitions possibly including a transition that advances time, 

step d) comprises: 

- for each transition, generating a data structure representing the requirement to be ful- 
filled in order for the transition to be enabled, 

step e) comprises: 

- constructing a data structure representing the set of reachable states by: 
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* 



constructing a data structure R representing an initial state of the Petri net, 



* 



repeatedly: 

• selecting a transition, 

• generating an amended data structure R' 



by conjugating the data structure repres- 



enting the requirements of selected transition, with R, 

■ generating an amended data structure R" by, in R', updating variables in accord- 
ance with the actions of the transition, 

• assigning R as the disjunction of R and R", 

until R is unchanged for all transitions, 



inquiring as to the existence of predetermined states of the Petri net using a method according to 
any of claims 37, 38, 39, and 44. 

53. A method according to claim 12 for generating a data structure for analyzing a system modeled 
by a min/max/linear constraint model, the model having a number of nodes, each either being a 
"max" node, a "min" node or a "linear" node, and a number of constraints each pointing from one 
node to another, each constraint representing a time interval, comprising the steps of: 

step a) comprises: 



- determining a set variables, one for each node, 
step b) comprises: 

- identifying constraints between nodes, a constraint comprising a starting node, an ending 
node, and a time delay, 

step d) comprises: 

- for each node, generating a data structure by representing a relation between the actual 
node, the nodes from which constraints point to the actual node, time intervals of those 
constraints, and the type of the actual node (min, max, or linear), 

step e) comprises: 

- constructing a data structure by performing the conjunction of the data structures gener- 
ated in step d). 



54. A method of analyzing a system modeled by a min/max/linear constraint model, the method com- 
prising: 
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• generating a data structure according to the method of claim 53 where the terminal nodes of 
the data structures are adapted to represent a "true" or a "false", and where the inequalities 
in the nodes are difference constraints, 

• obtaining information from the data structure using the method of any of claims 37, 38, 39, 
and 44. 

55. A method according to claim 12 for constructing a data structure for a system modeled as Boolean 
combinations of linear inequalities, wherein: 

step d) comprises: 

- determining the linear inequalities, 

- defining a number of different expressions, each comprising a linear inequality, and 
step e) comprises: 

• - combining the data structures using the method of claim 23. 

56. A method of analyzing a data structure constructed by the method of claim 55, the method compris- 
ing altering the data structure using the method of any of claims 21, 23, 47 or 48 and performing 
an assessment according to any of the claims 37, 38, 39, and 44. 

57. A method for analyzing an embedded system, a fault-tolerant system, a safety-critical system, or 
a concurrent composition of any such systems comprising 

• modeling the system using a concurrent composition of timed automata, 

• analyzing the model according to the method of claim 51. 

58. A method for analyzing an embedded system, a fault-tolerant system, a safety-critical system, or 
a concurrent composition of any such systems comprising 

• modeling the system using a timed Petri net, and 

• analyzing the model according to the method of claim 52. 

59. A method for analyzing an embedded system a fault-tolerant system, a safety-critical system, or 
a concurrent composition of any such systems comprising 

• modeling the system using a timed automaton, and 

• analyzing the model according to the method of claim 50. 

60. A method for verifying interface timing between two components or systems, the method com- 
prising: 
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• modeling the interface timing of the two components or systems using a min/max/linear 
constraint model, 

• analyzing the model according to the method of claim 54. 

61. A method for analyzing economical systems, operations research systems, transport systems, or 
planning problems, the method comprising: 

• modeling the system or problem using Boolean combinations of linear inequalities, 

• analyzing the model according to the method of claim 56. 

62. A method for analyzing the timing behavior of a combinational circuit, the method comprising: 

• modeling the gates of the circuit using a min/max/linear constraint model, 

• analyzing the model according to the method of claim 54. 

63. A method for analyzing the timing behavior of a combinational circuit, the method comprising: 

• modeling the gates of the circuit using timed automata, 

• analyzing the model according to the method of claim 51. 

64. A method for analyzing the timing behavior of combinational parts of a sequential circuit, the 
method comprising: 

• modeling the gates of the parts of the circuit using a min/max/linear constraint model, 

• analyzing the model according to the method of claim 54. 

65. A method for analyzing the timing behavior of a sequential circuit, the method comprising: 

• modeling the gates of the circuit using timed automata, 

• analyzing the model according to the method of claim 51. 

66. A method for analyzing the timing behavior of an asynchronous circuit, the method comprising: 

• modeling the gates of the circuit using a timed Petri net, 

• analyzing the model according to the method of claim 52. 

67. A method for analyzing a sequential or concurrent computer program, the method comprising 

• modeling statements, such as assignments or conditional guards, as expressions containing 
inequalities in a data structure as defined in any of claims 1-11, 

• achieving a model of the full program by: 
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- combining the models of the individual statements, using manipulation algorithms com- 
prising Boolean operators, quantifiers and/or substitutions, according to any of the meth- 
ods of claims 21, 23, 32-34, 36, 40-43, and 45-49, 

• constructing a data structure R representing an initial state of the program, 

• repeatedly: 

- selecting a statement, 

- generating an amended data structure R' by conjugating the data structure representing 
the requirements of selected statement with R, 

- generating an amended data structure R" by, in R', updating variables in accordance 
with the actions of the statement, 

- assigning R as the disjunction of R and R", 
until R is unchanged for all statements, 

• analyzing the program by analyzing R using a method according to any of claims 37, 38, 39, 
and 44 or performing an alteration according to any of claims 21, 23, 32-34, 36, 40-43, and 
45-49 and subsequently analyzing the program by analyzing the altered data structure using 
a method according to any of claims 37, 38, 39, and 44. 

68. A data carrier comprising a data structure according to any of claims 1-11. 

69. A data carrier comprising a program for a computer, the program performing a method according 
to any of claims 12-67. 

70. A data carrier comprising a program for a computer, the program being adapted to enable a general 
purpose computer to perform the method according to any of claims 12-67. 
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